Return PAM_MAXTRIES on too many auth failures

denisonbarbosa · denisonbarbosa · commit 1cd7c8b76b5b · 2026-04-09T10:14:35.000-04:00
We used to return PAM_AUTH_ERR, but this created problems in some
adapters, since they would keep retriggering the authentication requests
even after MAX_TRIES was reached. Returning PAM_MAXTRIES should stop the
requests from coming.
diff --git a/examplebroker/broker.go b/examplebroker/broker.go
@@ -655,6 +655,7 @@ func (b *Broker) IsAuthenticated(ctx context.Context, sessionID, authenticationD
 		sessionInfo.attemptsPerMode[sessionInfo.currentAuthMode]++
 		if sessionInfo.attemptsPerMode[sessionInfo.currentAuthMode] >= maxAttempts {
 			access = auth.Denied
+			data = `{"message": "Maximum number of authentication attempts reached"}`
 		}
 	}
 
diff --git a/pam/integration-tests/gdm_test.go b/pam/integration-tests/gdm_test.go
@@ -875,13 +875,13 @@ func TestGdmModule(t *testing.T) {
 				},
 				{
 					Access: auth.Denied,
-					Msg:    "invalid password 'really, it's not a goodpass!', should be 'goodpass'",
+					Msg:    "Maximum number of authentication attempts reached",
 				},
 			},
 			wantPamErrorMessages: []string{
-				"invalid password 'really, it's not a goodpass!', should be 'goodpass'",
+				"Maximum number of authentication attempts reached",
 			},
-			wantError:       pam.ErrAuth,
+			wantError:       pam.ErrMaxtries,
 			wantAcctMgmtErr: pam_test.ErrIgnore,
 		},
 		"Error_on_authenticating_unknown_user": {
diff --git a/pam/integration-tests/testdata/golden/TestCLIAuthenticate/Deny_authentication_if_max_attempts_reached b/pam/integration-tests/testdata/golden/TestCLIAuthenticate/Deny_authentication_if_max_attempts_reached
@@ -81,11 +81,11 @@ invalid password 'wrongpass', should be 'goodpass'
   Press escape key to go back to select the authentication method
 ────────────────────────────────────────────────────────────────────────────────
 > ./pam_authd login socket=${AUTHD_TEST_TAPE_SOCKET}
-PAM Error Message: invalid password 'wrongpass', should be 'goodpass'
+PAM Error Message: Maximum number of authentication attempts reached
 PAM Authenticate()
   User: "user-integration-max-attempts@example.com"
-  Result: error: PAM exit code: 7
-    Authentication failure
+  Result: error: PAM exit code: 11
+    Have exhausted maximum number of retries for service
 PAM Info Message: acct=incomplete
 PAM AcctMgmt()
   User: "user-integration-max-attempts@example.com"
diff --git a/pam/integration-tests/testdata/golden/TestCLIChangeAuthTok/Prevent_change_password_if_auth_fails b/pam/integration-tests/testdata/golden/TestCLIChangeAuthTok/Prevent_change_password_if_auth_fails
@@ -81,11 +81,11 @@ invalid password 'wrongpass', should be 'goodpass'
   Press escape key to go back to select the authentication method
 ────────────────────────────────────────────────────────────────────────────────
 > ./pam_authd passwd socket=${AUTHD_TEST_TAPE_SOCKET}
-PAM Error Message: invalid password 'wrongpass', should be 'goodpass'
+PAM Error Message: Maximum number of authentication attempts reached
 PAM ChangeAuthTok()
   User: "user-integration-cli-passwd-prevent-change-password-if-auth-fails@example.com"
-  Result: error: PAM exit code: 7
-    Authentication failure
+  Result: error: PAM exit code: 11
+    Have exhausted maximum number of retries for service
 PAM Info Message: acct=incomplete
 PAM AcctMgmt()
   User: "user-integration-cli-passwd-prevent-change-password-if-auth-fails@example.com"
diff --git a/pam/integration-tests/testdata/golden/TestNativeAuthenticate/Deny_authentication_if_max_attempts_reached b/pam/integration-tests/testdata/golden/TestNativeAuthenticate/Deny_authentication_if_max_attempts_reached
@@ -147,11 +147,11 @@ PAM Error Message: invalid password 'wrongpass', should be 'goodpass'
 Enter 'r' to cancel the request and go back to select the authentication method
 Gimme your password:
 >
-PAM Error Message: invalid password 'wrongpass', should be 'goodpass'
+PAM Error Message: Maximum number of authentication attempts reached
 PAM Authenticate()
   User: "user-integration-native-deny-authentication-if-max-attempts-reached@example.com"
-  Result: error: PAM exit code: 7
-    Authentication failure
+  Result: error: PAM exit code: 11
+    Have exhausted maximum number of retries for service
 acct=incomplete
 PAM AcctMgmt()
   User: "user-integration-native-deny-authentication-if-max-attempts-reached@example.com"
diff --git a/pam/integration-tests/testdata/golden/TestNativeChangeAuthTok/Prevent_change_password_if_auth_fails b/pam/integration-tests/testdata/golden/TestNativeChangeAuthTok/Prevent_change_password_if_auth_fails
@@ -166,11 +166,11 @@ PAM Error Message: invalid password 'wrongpass', should be 'goodpass'
 Enter 'r' to cancel the request and go back to select the authentication method
 Gimme your password:
 >
-PAM Error Message: invalid password 'wrongpass', should be 'goodpass'
+PAM Error Message: Maximum number of authentication attempts reached
 PAM ChangeAuthTok()
   User: "user-integration-native-passwd-prevent-change-password-if-auth-fails@example.com"
-  Result: error: PAM exit code: 7
-    Authentication failure
+  Result: error: PAM exit code: 11
+    Have exhausted maximum number of retries for service
 acct=incomplete
 PAM AcctMgmt()
   User: "user-integration-native-passwd-prevent-change-password-if-auth-fails@example.com"
diff --git a/pam/integration-tests/testdata/golden/TestSSHAuthenticate/Deny_authentication_if_max_attempts_reached b/pam/integration-tests/testdata/golden/TestSSHAuthenticate/Deny_authentication_if_max_attempts_reached
@@ -147,7 +147,7 @@ invalid password 'wrongpass', should be 'goodpass'
 Enter 'r' to cancel the request and go back to select the authentication method
 (user-integration-pre-check-ssh-deny-authentication-if-max-attempts-reached@example.com@localhost) Gimme your password:
 >
-invalid password 'wrongpass', should be 'goodpass'
+Maximum number of authentication attempts reached
 Received disconnect from ${SSH_HOST} port ${SSH_PORT} Too many authentication failures
 Disconnected from ${SSH_HOST} port ${SSH_PORT}
 >
diff --git a/pam/integration-tests/testdata/golden/TestSSHAuthenticate/Deny_authentication_if_max_attempts_reached_with_shared_sshd b/pam/integration-tests/testdata/golden/TestSSHAuthenticate/Deny_authentication_if_max_attempts_reached_with_shared_sshd
@@ -147,7 +147,7 @@ invalid password 'wrongpass', should be 'goodpass'
 Enter 'r' to cancel the request and go back to select the authentication method
 (user-integration-pre-check-ssh-deny-authentication-if-max-attempts-reached-with-shared-sshd@example.com@localhost) Gimme your password:
 >
-invalid password 'wrongpass', should be 'goodpass'
+Maximum number of authentication attempts reached
 Received disconnect from ${SSH_HOST} port ${SSH_PORT} Too many authentication failures
 Disconnected from ${SSH_HOST} port ${SSH_PORT}
 >
diff --git a/pam/integration-tests/testdata/tapes/native/max_attempts.tape b/pam/integration-tests/testdata/tapes/native/max_attempts.tape
@@ -44,6 +44,6 @@ Show
 Hide
 Type "wrongpass"
 Enter
-Wait+Nth(5)  /invalid password 'wrongpass', should be/
+Wait+Screen  /Maximum number of authentication attempts reached/
 ${AUTHD_TEST_TAPE_COMMAND_AUTH_FINAL_WAIT}
 Show
diff --git a/pam/integration-tests/testdata/tapes/native/passwd_auth_fail.tape b/pam/integration-tests/testdata/tapes/native/passwd_auth_fail.tape
@@ -50,6 +50,6 @@ Show
 Hide
 Type "wrongpass"
 Enter
-Wait+Nth(5) /invalid password 'wrongpass', should be/
+Wait+Screen /Maximum number of authentication attempts reached/
 ${AUTHD_TEST_TAPE_COMMAND_PASSWD_FINAL_WAIT}
 Show
diff --git a/pam/internal/adapter/authentication.go b/pam/internal/adapter/authentication.go
@@ -353,6 +353,9 @@ func (m authenticationModel) Update(msg tea.Msg) (authModel authenticationModel,
 			return m, sendEvent(startAuthentication{})
 
 		case auth.Denied:
+			if authMsg == "Maximum number of authentication attempts reached" {
+				return m, sendEvent(pamError{status: pam.ErrMaxtries, msg: authMsg})
+			}
 			if authMsg == "" {
 				authMsg = "Access denied"
 			}

Original file line number	Diff line number	Diff line change
`@@ -655,6 +655,7 @@ func (b *Broker) IsAuthenticated(ctx context.Context, sessionID, authenticationD`
`655`	`655`	`sessionInfo.attemptsPerMode[sessionInfo.currentAuthMode]++`
`656`	`656`	`if sessionInfo.attemptsPerMode[sessionInfo.currentAuthMode] >= maxAttempts {`
`657`	`657`	`access = auth.Denied`
	`658`	+ data = `{"message": "Maximum number of authentication attempts reached"}`
`658`	`659`	`}`
`659`	`660`	`}`
`660`	`661`
Original file line number	Diff line number	Diff line change
`@@ -147,7 +147,7 @@ invalid password 'wrongpass', should be 'goodpass'`
`147`	`147`	`Enter 'r' to cancel the request and go back to select the authentication method`
`148`	`148`	`(user-integration-pre-check-ssh-deny-authentication-if-max-attempts-reached@example.com@localhost) Gimme your password:`
`149`	`149`	`>`
`150`		`-invalid password 'wrongpass', should be 'goodpass'`
	`150`	`+Maximum number of authentication attempts reached`
`151`	`151`	`Received disconnect from ${SSH_HOST} port ${SSH_PORT} Too many authentication failures`
`152`	`152`	`Disconnected from ${SSH_HOST} port ${SSH_PORT}`
`153`	`153`	`>`