Re: pam/sshd question: allowing a user to try logging in more than once

[Jeremy Brown <jeremy@brownjava.org>]

Oops...I figure I should include my "common-auth" file too, as well as 
mention that I authenticate against LDAP:

#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
# traditional Unix authentication mechanisms.
#
auth    required   pam_env.so
auth    sufficient pam_ldap.so
auth    sufficient pam_unix.so use_first_pass
auth    required   pam_deny.so

Jeremy

Jeremy Brown wrote:

> The subject line is fairly self-explanatory.  Currently users who 
> connect to my debian testing machine at work are prompted for their 
> username, then their password only once.  If a user enters a bad 
> password, he or she is kicked out immediately and must open a new ssh 
> connection in order to try again.
>
> I would prefer it if a user were prompted for his or her password up 
> to 3 times before the SSH connection terminates.
>
> I don't completely understand the nuances of PAM, so I'm not sure if 
> this feature--asking for the password multiple times if incorrect--is 
> something that PAM handles or if it's something that OpenSSH handles 
> itself.  Nevertheless, I've seen it done on other UNIX/Linux machines, 
> so I know it can be done.
>
> Here's my libpam0g and openssh version information:
>
> Package: libpam0g
> Version: 0.76-22
>
> Package: ssh
> Version: 1:3.8.1p1-8.sarge.2
>
> Any help would be greatly appreciated.
>
> Thanks,
>
> Jeremy Brown
> jeremy@brownjava.org