- djm@cvs.openbsd.org 2008/07/04 23:30:16

[auth1.c auth2.c]
     Make protocol 1 MaxAuthTries logic match protocol 2's.
     Do not treat the first protocol 2 authentication attempt as
     a failure IFF it is for method "none".
     Makes MaxAuthTries' user-visible behaviour identical for
     protocol 1 vs 2.
     ok dtucker@
This commit is contained in:
Damien Miller 2008-07-05 09:44:53 +10:00
parent d874fa517b
commit 0b4d48ba74
3 changed files with 20 additions and 5 deletions

View File

@ -9,6 +9,14 @@
- djm@cvs.openbsd.org 2008/07/04 23:08:25 - djm@cvs.openbsd.org 2008/07/04 23:08:25
[packet.c] [packet.c]
handle EINTR in packet_write_poll()l ok dtucker@ handle EINTR in packet_write_poll()l ok dtucker@
- djm@cvs.openbsd.org 2008/07/04 23:30:16
[auth1.c auth2.c]
Make protocol 1 MaxAuthTries logic match protocol 2's.
Do not treat the first protocol 2 authentication attempt as
a failure IFF it is for method "none".
Makes MaxAuthTries' user-visible behaviour identical for
protocol 1 vs 2.
ok dtucker@
20080704 20080704
- (dtucker) OpenBSD CVS Sync - (dtucker) OpenBSD CVS Sync
@ -4582,4 +4590,4 @@
OpenServer 6 and add osr5bigcrypt support so when someone migrates OpenServer 6 and add osr5bigcrypt support so when someone migrates
passwords between UnixWare and OpenServer they will still work. OK dtucker@ passwords between UnixWare and OpenServer they will still work. OK dtucker@
$Id: ChangeLog,v 1.5061 2008/07/04 23:40:56 djm Exp $ $Id: ChangeLog,v 1.5062 2008/07/04 23:44:53 djm Exp $

View File

@ -1,4 +1,4 @@
/* $OpenBSD: auth1.c,v 1.72 2008/05/08 12:02:23 djm Exp $ */ /* $OpenBSD: auth1.c,v 1.73 2008/07/04 23:30:16 djm Exp $ */
/* /*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved * All rights reserved
@ -284,6 +284,8 @@ do_authloop(Authctxt *authctxt)
type != SSH_CMSG_AUTH_TIS_RESPONSE) type != SSH_CMSG_AUTH_TIS_RESPONSE)
abandon_challenge_response(authctxt); abandon_challenge_response(authctxt);
if (authctxt->failures >= options.max_authtries)
goto skip;
if ((meth = lookup_authmethod1(type)) == NULL) { if ((meth = lookup_authmethod1(type)) == NULL) {
logit("Unknown message during authentication: " logit("Unknown message during authentication: "
"type %d", type); "type %d", type);
@ -368,7 +370,7 @@ do_authloop(Authctxt *authctxt)
if (authenticated) if (authenticated)
return; return;
if (authctxt->failures++ > options.max_authtries) { if (++authctxt->failures >= options.max_authtries) {
#ifdef SSH_AUDIT_EVENTS #ifdef SSH_AUDIT_EVENTS
PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES)); PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES));
#endif #endif

View File

@ -1,4 +1,4 @@
/* $OpenBSD: auth2.c,v 1.118 2008/07/02 13:30:34 djm Exp $ */ /* $OpenBSD: auth2.c,v 1.119 2008/07/04 23:30:16 djm Exp $ */
/* /*
* Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2000 Markus Friedl. All rights reserved.
* *
@ -36,6 +36,7 @@
#include <unistd.h> #include <unistd.h>
#include "xmalloc.h" #include "xmalloc.h"
#include "atomicio.h"
#include "ssh2.h" #include "ssh2.h"
#include "packet.h" #include "packet.h"
#include "log.h" #include "log.h"
@ -333,7 +334,11 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
/* now we can break out */ /* now we can break out */
authctxt->success = 1; authctxt->success = 1;
} else { } else {
if (++authctxt->failures >= options.max_authtries) {
/* Allow initial try of "none" auth without failure penalty */
if (authctxt->attempt > 1 || strcmp(method, "none") != 0)
authctxt->failures++;
if (authctxt->failures >= options.max_authtries) {
#ifdef SSH_AUDIT_EVENTS #ifdef SSH_AUDIT_EVENTS
PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES)); PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES));
#endif #endif