diff --git a/ChangeLog b/ChangeLog index 788d91729..48f19a385 100644 --- a/ChangeLog +++ b/ChangeLog @@ -58,6 +58,11 @@ - jmc@cvs.openbsd.org 2014/07/03 07:45:27 [ssh_config.5] escape %C since groff thinks it part of an Rs/Re block; + - djm@cvs.openbsd.org 2014/07/03 11:16:55 + [auth.c auth.h auth1.c auth2.c] + make the "Too many authentication failures" message include the + user, source address, port and protocol in a format similar to the + authentication success / failure messages; bz#2199, ok dtucker 20140702 - OpenBSD CVS Sync diff --git a/auth.c b/auth.c index fcb314cbd..890dde046 100644 --- a/auth.c +++ b/auth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.c,v 1.104 2014/04/29 18:01:49 markus Exp $ */ +/* $OpenBSD: auth.c,v 1.105 2014/07/03 11:16:55 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -326,6 +326,20 @@ auth_log(Authctxt *authctxt, int authenticated, int partial, #endif } + +void +auth_maxtries_exceeded(Authctxt *authctxt) +{ + packet_disconnect("Too many authentication failures for " + "%s%.100s from %.200s port %d %s", + authctxt->valid ? "" : "invalid user ", + authctxt->user, + get_remote_ipaddr(), + get_remote_port(), + compat20 ? "ssh2" : "ssh1"); + /* NOTREACHED */ +} + /* * Check whether root logins are disallowed. */ diff --git a/auth.h b/auth.h index 124e59743..d081c94a6 100644 --- a/auth.h +++ b/auth.h @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.h,v 1.77 2014/01/29 06:18:35 djm Exp $ */ +/* $OpenBSD: auth.h,v 1.78 2014/07/03 11:16:55 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -154,6 +154,7 @@ void auth_info(Authctxt *authctxt, const char *, ...) __attribute__((__format__ (printf, 2, 3))) __attribute__((__nonnull__ (2))); void auth_log(Authctxt *, int, int, const char *, const char *); +void auth_maxtries_exceeded(Authctxt *) __attribute__((noreturn)); void userauth_finish(Authctxt *, int, const char *, const char *); int auth_root_allowed(const char *); @@ -210,8 +211,6 @@ struct passwd *fakepw(void); int sys_auth_passwd(Authctxt *, const char *); -#define AUTH_FAIL_MSG "Too many authentication failures for %.100s" - #define SKEY_PROMPT "\nS/Key Password: " #if defined(KRB5) && !defined(HEIMDAL) diff --git a/auth1.c b/auth1.c index 0f870b3b6..d758a3d69 100644 --- a/auth1.c +++ b/auth1.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth1.c,v 1.80 2014/02/02 03:44:31 djm Exp $ */ +/* $OpenBSD: auth1.c,v 1.81 2014/07/03 11:16:55 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -363,7 +363,7 @@ do_authloop(Authctxt *authctxt) #ifdef SSH_AUDIT_EVENTS PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES)); #endif - packet_disconnect(AUTH_FAIL_MSG, authctxt->user); + auth_maxtries_exceeded(authctxt); } packet_start(SSH_SMSG_FAILURE); diff --git a/auth2.c b/auth2.c index a5490c009..6572381cb 100644 --- a/auth2.c +++ b/auth2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2.c,v 1.130 2014/01/29 06:18:35 djm Exp $ */ +/* $OpenBSD: auth2.c,v 1.131 2014/07/03 11:16:55 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -362,7 +362,7 @@ userauth_finish(Authctxt *authctxt, int authenticated, const char *method, #ifdef SSH_AUDIT_EVENTS PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES)); #endif - packet_disconnect(AUTH_FAIL_MSG, authctxt->user); + auth_maxtries_exceeded(authctxt); } methods = authmethods_get(authctxt); debug3("%s: failure partial=%d next methods=\"%s\"", __func__,