On Friday, August 14, 2015 01:47:49 PM Ron Colvin wrote: > A patch for the SSH bug that bypassed the MaxAuthTries limit was just > patched. Has MaxAuthTries been considered as a control in the security > guide?
The default value for this is set to "no". We set UsePam to "yes". Some platforms do not have PAM and openssh replicates some of that functionality in their code. If you want to control the maximum number of login attempts, you should use the pam_faillock module. It is an improvement over pam_tally2 in that it tracks login attempts per user. Pam_tally2 is global. Both are hooked into the audit system while openssh's MaxAuthTries is not. HTH... -Steve -- SCAP Security Guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
