Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Junos] Using the "retry-options" feature in a console session

0

0

Article ID: KB35520 KB Last Updated: 11 Mar 2020Version: 1.0
Summary:

This article supplements the information in Limiting the Number of User Login Attempts for SSH and Telnet Sessions by demonstrating that the retry-options feature works in a console session in some specific cases.

 

Symptoms:

The retry-options feature is seen to work in a console session in specific cases such as with backoff-factor, backoff-threshold, minimum-time, and tries-before-disconnect. There is no effect of the retry-options feature on the console for maximum-time and lockout-period configurations.

 

Solution:

The following output shows how the retry-options feature works with the minimum-time configuration on the console:

[console]
[2020-02-18 20:35:06.534] FreeBSD/amd64 (R1) (ttyu0)
[2020-02-18 20:35:06.543]
[2020-02-18 20:35:06.543] login: q
[2020-02-18 20:35:07.230] Password:
<< [2020-02-18 20:35:08.495] Login incorrect

On the console, when you type any login name following the prompt in the output below, the timer does not start because the login process has not begun yet.

FreeBSD/amd64 (R1) (ttyu0)

login:

[from separated telnet terminal]
root@R1:RE:0% ps -aux | grep log
root        28926   0.0  0.2 861780   8136  0  Ss   20:08      0:00.02 login [pam] (login) << This is for a separated terminal.
root        28938   0.0  0.1  16600   2256  0  S+   20:08      0:00.00 grep log

After you type a login name, the login process starts:

FreeBSD/amd64 (R1) (ttyu0)

login: q
Password:

[from separated terminal]
root@R1:RE:0% ps -aux | grep log
root        28915   0.0  0.2 861780   8016 u0  S
root        28926   0.0  0.2 861780   8136  0  Is   20:08      0:00.02 login [pam] (login)
root        28948   0.0  0.1  16600   2256  0  S+   20:09      0:00.00 grep log

On the other hand, for a telnet/ssh session, the login process starts soon after a session is connected.

login:

[from separated console terminal]
root@R1:RE:0% ps -aux | grep login
root   28952   0.0  0.2 861780   8108 u0  Is   20:10      0:00.02 login [pam] (
root   28972   0.0  0.1  16600   2260 u0  S+   20:11      0:00.00 grep login
root   28970   0.0  0.1  42136   3240  0  Ss+  20:11      0:00.00 login << Login has started at this time.

As mentioned above, timer start depends on the type of connection, but the end time is the time at which the last failure occurs. Further, there is an additional five-second delay, which is explained in detail in the following example:

{master:0}
labroot@R1> show configuration system login retry-options | display set
set system login retry-options tries-before-disconnect 2
set system login retry-options backoff-threshold 3
set system login retry-options minimum-time 20

With the above configuration, disconnect will occur after the second failure.

[2020-02-18 21:17:39.336] labroot@R1> telnet 10.219.20.126/26
[2020-02-18 21:17:47.802] Trying 10.219.20.126...
[2020-02-18 21:17:47.802] Connected to 10.219.20.126.
[2020-02-18 21:17:47.802] Escape character is '^]'.
[2020-02-18 21:17:47.802] login: q <<< Timer start
[2020-02-18 21:17:53.928] Password:
[2020-02-18 21:17:57.724] Login incorrect
[2020-02-18 21:17:57.725] login:
[2020-02-18 21:17:59.430] login:
[2020-02-18 21:18:02.008] login: q
[2020-02-18 21:18:02.991] Password:
[2020-02-18 21:18:04.006] Login incorrect <<< Timer stop = 21:18:04 - 21:17:47 = 17(runtime) < minimum-time 20

Note: The minimum-time (20) - 17(runtime) = 3 + 5 (additional delay time) = 8-seconds after which session will be terminated.

[2020-02-18 21:18:11.780] Connection closed by foreign host.
[2020-02-18 21:18:12.051] {master:0}
[2020-02-18 21:18:12.051] labroot@R1>
[2020-02-18 21:18:13.907]
[2020-02-18 21:18:14.174] {master:0}
[2020-02-18 21:18:14.174] labroot@R1>
[2020-02-18 21:19:17.550]
[2020-02-18 21:19:17.785] {master:0}
[2020-02-18 21:19:17.785] labroot@R1>
[2020-02-18 21:19:18.053]
[2020-02-18 21:19:18.053] {master:0}
[2020-02-18 21:19:18.053] labroot@R1> ssh labroot@10.219.20.126
[2020-02-18 21:19:30.421] Password:<<< timer start
[2020-02-18 21:19:38.158] Password:<<< timer stop ---> 21:19:38.158 - 21:19:30.421 = 8(runtime) sec < minimum-time 20

In the above example, the minimum-time (20) - runtime (8 sec) = 12 + 5 = 17 second delay after which the session will be terminated.

[2020-02-18 21:19:55.580] Received disconnect from 10.219.20.126 port 22:2: Too many password failures for labroot

[2020-02-12 11:36:41.208] set system login retry-options tries-before-disconnect 4
[2020-02-12 11:36:41.268] set system login retry-options backoff-threshold 3
[2020-02-12 11:36:41.328] set system login retry-options backoff-factor 5
[2020-02-12 11:36:41.378] set system login retry-options minimum-time 40

[2020-02-12 11:37:39.490] EX4600 (ttyd0)
[2020-02-12 11:37:39.530]
[2020-02-12 11:37:39.530] login: testA
[2020-02-12 11:37:42.230] Password: <<
[2020-02-12 11:37:43.380] Login incorrect
[2020-02-12 11:37:43.400] login: testA
[2020-02-12 11:37:45.350] Password:
[2020-02-12 11:37:45.810] Login incorrect
[2020-02-12 11:37:45.850] login: testA
[2020-02-12 11:37:47.850] Password:
[2020-02-12 11:37:48.530] Login incorrect
[2020-02-12 11:37:53.540] login: testA
[2020-02-12 11:37:55.760] Password:
[2020-02-12 11:37:56.980] Login incorrect
[2020-02-12 11:37:58.120]
[2020-02-12 11:37:58.340]
[2020-02-12 11:37:59.510]
[2020-02-12 11:37:59.730]
[2020-02-12 11:38:28.031]
[2020-02-12 11:38:28.031] EX4600 (ttyd0)

In the above example: 11:37:56 – 11:37:42 = 14 < 40.

minimum-time (40) - runtime (14 sec) = 26 + 5 = 31 second delay (11:38:27) after which the session will be terminated.

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search