Date: Tue, 25 Sep 2007 08:45:18 -0500 From: CyberLeo Kitsana <cyberleo@cyberleo.net> To: Rakhesh Sasidharan <rakhesh@rakhesh.com> Cc: freebsd-questions@freebsd.org Subject: Re: Confusion on SSH and PAM Message-ID: <46F910EE.6070005@cyberleo.net> In-Reply-To: <20070925150058.J79029@dogmatix.home.rakhesh.com> References: <20070925150058.J79029@dogmatix.home.rakhesh.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Rakhesh Sasidharan wrote: > Any ideas or nudges in the right direction as to why this is happening? > Looks like I've understood the interaction between SSH and PAM wrong > here, so would appreciate some enlightenment. According to my understanding of the SSH protocol, you're continually asked because an authentication failure is not a fatal error. When authenticating an SSH session, a list of mutually supported methods is compiled (public-key, challenge-response, S/Key, keyboard-interactive, plaintext) and the client cycles through the list based on what it thinks is most likely to work. It's perfectly acceptable for a client to attempt password authentication before public-key, or even interleave them. All the server can do is say yay or nay to an attempt with a restricted method, because it cannot know if the next attempt may utilize an allowed method. After the requisite three or five failed attempts (depending on the server config), it may send a general failure code (too many failed attempts) and disconnect the client at it's discretion. -- Fuzzy love, -CyberLeo Technical Administrator CyberLeo.Net Webhosting http://www.CyberLeo.Net <CyberLeo@CyberLeo.Net> Furry Peace! - http://wwww.fur.com/peace/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?46F910EE.6070005>