From 0b4d48ba74cca40e983d96ba13e66908cf5b5666 Mon Sep 17 00:00:00 2001
From: Damien Miller <djm@mindrot.org>
Date: Sat, 5 Jul 2008 09:44:53 +1000
Subject: [PATCH]    - djm@cvs.openbsd.org 2008/07/04 23:30:16      [auth1.c
 auth2.c]      Make protocol 1 MaxAuthTries logic match protocol 2's.      Do
 not treat the first protocol 2 authentication attempt as      a failure IFF
 it is for method "none".      Makes MaxAuthTries' user-visible behaviour
 identical for      protocol 1 vs 2.      ok dtucker@

---
 ChangeLog | 10 +++++++++-
 auth1.c   |  6 ++++--
 auth2.c   |  9 +++++++--
 3 files changed, 20 insertions(+), 5 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 6cd833b32..225eff6cc 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -9,6 +9,14 @@
    - djm@cvs.openbsd.org 2008/07/04 23:08:25
      [packet.c]
      handle EINTR in packet_write_poll()l ok dtucker@
+   - djm@cvs.openbsd.org 2008/07/04 23:30:16
+     [auth1.c auth2.c]
+     Make protocol 1 MaxAuthTries logic match protocol 2's.
+     Do not treat the first protocol 2 authentication attempt as
+     a failure IFF it is for method "none".
+     Makes MaxAuthTries' user-visible behaviour identical for
+     protocol 1 vs 2.
+     ok dtucker@
 
 20080704
  - (dtucker) OpenBSD CVS Sync
@@ -4582,4 +4590,4 @@
    OpenServer 6 and add osr5bigcrypt support so when someone migrates
    passwords between UnixWare and OpenServer they will still work. OK dtucker@
 
-$Id: ChangeLog,v 1.5061 2008/07/04 23:40:56 djm Exp $
+$Id: ChangeLog,v 1.5062 2008/07/04 23:44:53 djm Exp $
diff --git a/auth1.c b/auth1.c
index b5798f634..834ef0452 100644
--- a/auth1.c
+++ b/auth1.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth1.c,v 1.72 2008/05/08 12:02:23 djm Exp $ */
+/* $OpenBSD: auth1.c,v 1.73 2008/07/04 23:30:16 djm Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -284,6 +284,8 @@ do_authloop(Authctxt *authctxt)
 		    type != SSH_CMSG_AUTH_TIS_RESPONSE)
 			abandon_challenge_response(authctxt);
 
+		if (authctxt->failures >= options.max_authtries)
+			goto skip;
 		if ((meth = lookup_authmethod1(type)) == NULL) {
 			logit("Unknown message during authentication: "
 			    "type %d", type);
@@ -368,7 +370,7 @@ do_authloop(Authctxt *authctxt)
 		if (authenticated)
 			return;
 
-		if (authctxt->failures++ > options.max_authtries) {
+		if (++authctxt->failures >= options.max_authtries) {
 #ifdef SSH_AUDIT_EVENTS
 			PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES));
 #endif
diff --git a/auth2.c b/auth2.c
index 4b96c652f..a835abfc6 100644
--- a/auth2.c
+++ b/auth2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2.c,v 1.118 2008/07/02 13:30:34 djm Exp $ */
+/* $OpenBSD: auth2.c,v 1.119 2008/07/04 23:30:16 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -36,6 +36,7 @@
 #include <unistd.h>
 
 #include "xmalloc.h"
+#include "atomicio.h"
 #include "ssh2.h"
 #include "packet.h"
 #include "log.h"
@@ -333,7 +334,11 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
 		/* now we can break out */
 		authctxt->success = 1;
 	} else {
-		if (++authctxt->failures >= options.max_authtries) {
+
+		/* Allow initial try of "none" auth without failure penalty */
+		if (authctxt->attempt > 1 || strcmp(method, "none") != 0)
+			authctxt->failures++;
+		if (authctxt->failures >= options.max_authtries) {
 #ifdef SSH_AUDIT_EVENTS
 			PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES));
 #endif