loginlog and authlog does not capture the failed login attempts using ssh and CDE login!

I had created /var/adm/loginlog and /var/log/authlog, with permission set to 600, and group is sys. Using CDE or ssh to login is not captured by loginlog, or authlog. However using telnet failed attempts are recorded in both logs. I need to configure the system in such away that ssh, and CDE will record to loginlog after 3 bad login attempts, and record every failed attempts to authlog. I already configured
retries=3
SYSLOG_FAILED_LOGINS=0. Any ideas?
as618Asked:
Who is Participating?
 
PsiCopCommented:
That's because SSH does not use the mechanism you're configuring.

SSH logs to either its own file, or to the FACILITY specified in the sshd_config file. I generally point mine to one of the LOCAL facilities. You can configure this at compile-time, or using directives in sshd_config.
0
 
NopiusCommented:
/var/adm/loginlog is used by /bin/login program only. This file is checked and filled from /bin/login.

Any authentication program that uses standard '/bin/login'  program will log to /var/adm/loginlog.
- in.telnetd uses '/bin/login' for authentication.
- sshd doesn't, but it can if you will compile openssh instead of standard Solaris shipped version and enable option 'UseLogin yes' in sshd_config
- CDE doesn't and cannot be tuned to use 'login' program for authentiation.

Almost any authentication program uses syslog to log failed attempts.
man syslog.conf
for details. Something about syslog facilities has already been said by PsiCop.
You should tune your syslogd.conf to log all messages (up to debug level) to some file and then grep this file to login failures.

0
 
yuzhCommented:
Edit /etc/default/login file

      # Allow 3 login attempts
              RETRIES=3      

       #note "RETRIES" - all uppercase.

When a user failed to type in his/her password, it log to /var/adm/loginlog
you need to make sure  /var/adm/loginlog exist. eg

     touch  /var/adm/loginlog
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.