When you see messages like PAM service(sshd) ignoring max retries; 6 > 3 in your SSH console, it indicates a configuration mismatch between PAM (Pluggable Authentication Modules) and your SSH daemon settings. The numbers (6 and 3 in this case) represent the maximum allowed authentication attempts.
This typically occurs when:
- PAM's
pam_tally2.somodule has different retry limits than sshd_config - Ubuntu 12.04's default PAM configuration needs updating
- There are multiple authentication methods configured with conflicting limits
The main configuration files that control this behavior are:
/etc/pam.d/sshd
/etc/ssh/sshd_config
/etc/security/pam_tally2.confHere's how to resolve this properly:
# First, check your current SSH configuration
grep "MaxAuthTries" /etc/ssh/sshd_config
# Then check PAM configuration
grep "auth required pam_tally2" /etc/pam.d/sshd
# To make them consistent, edit the PAM configuration:
sudo nano /etc/pam.d/sshdAdjust the pam_tally2 line to match your SSH configuration. For example:
auth required pam_tally2.so deny=5 unlock_time=1800If you just want to suppress the messages without changing security settings:
# Edit sshd_config
sudo nano /etc/ssh/sshd_config
# Add or modify this line (not recommended for production)
LogLevel QUIETWhile the messages might be annoying, they serve an important security purpose:
- They indicate potential brute force attacks
- Help identify configuration inconsistencies
- Provide audit trail for failed login attempts
For production systems, consider implementing fail2ban as a more robust solution:
sudo apt-get install fail2ban
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.localAfter making changes:
sudo service ssh restart
sudo tail -f /var/log/auth.logTest failed logins to ensure the new limits are enforced:
ssh user@localhostWhen working with SSH on Ubuntu servers (particularly older versions like 12.04), you might encounter this peculiar warning:
2014 Apr 11 08:41:18 vps847 PAM service(sshd) ignoring max retries; 6 > 3
This message indicates that your PAM (Pluggable Authentication Modules) configuration for SSH has a mismatch between the configured maximum authentication attempts and what the SSH service enforces.
The issue stems from three key components:
- sshd_config: Defines MaxAuthTries (default 6)
- PAM configuration: Typically in /etc/pam.d/sshd
- PAM module settings: Particularly pam_tally2 or pam_faillock
Here's what happens under the hood:
# SSHd default configuration MaxAuthTries 6 # Typical PAM configuration in /etc/pam.d/sshd auth required pam_tally2.so deny=3 unlock_time=1200
The warning appears when PAM's deny threshold (3) is lower than SSH's MaxAuthTries (6).
Option 1: Align SSH and PAM Settings
Edit your SSH configuration:
sudo nano /etc/ssh/sshd_config # Change to match PAM setting MaxAuthTries 3 # Restart SSH sudo service ssh restart
Option 2: Adjust PAM Configuration
Modify the PAM settings to match SSH:
sudo nano /etc/pam.d/sshd # Change the deny parameter auth required pam_tally2.so deny=6 unlock_time=1200
Option 3: Disable PAM Account Locking
If you don't need account locking:
# Comment out the pam_tally2 line # auth required pam_tally2.so deny=3 unlock_time=1200
For modern Ubuntu systems (18.04+), the newer pam_faillock module is preferred:
auth required pam_faillock.so preauth silent deny=3 unlock_time=1200 auth required pam_faillock.so authfail deny=3 unlock_time=1200
Before modifying these settings, consider:
- Reducing MaxAuthTries improves security against brute force attacks
- Increasing PAM's deny count makes your system more vulnerable
- Account lockout mechanisms protect against dictionary attacks
After making changes, verify with:
# Check current SSH settings sshd -T | grep maxauthtries # Test failed authentication ssh -o NumberOfPasswordPrompts=6 user@localhost
Remember to test from another session to avoid locking yourself out!
If you want to keep the security settings but suppress the warnings:
# Modify rsyslog configuration sudo nano /etc/rsyslog.d/50-default.conf # Add this line :msg, contains, "PAM service(sshd) ignoring max retries" ~ # Restart logging sudo service rsyslog restart