- dtucker@cvs.openbsd.org 2004/05/23 23:59:53

[auth.c auth.h auth1.c auth2.c servconf.c servconf.h sshd_config sshd_config.5] Add MaxAuthTries sshd config option; ok markus@
2004-05-24 10:36:23 +10:00 · 2004-05-24 10:36:23 +10:00 · 89413dbafa
parent e534e12127
commit 89413dbafa
9 changed files with 32 additions and 15 deletions
--- a/5
+++ b/5
@ -21,6 +21,9 @@
   - jmc@cvs.openbsd.org 2004/05/22 16:01:05
     [ssh.1]
     kill whitespace at eol;
+   - dtucker@cvs.openbsd.org 2004/05/23 23:59:53
+     [auth.c auth.h auth1.c auth2.c servconf.c servconf.h sshd_config sshd_config.5]
+     Add MaxAuthTries sshd config option; ok markus@

 20040523
 - (djm) [sshd_config] Explain consequences of UsePAM=yes a little better in 
@ -1150,4 +1153,4 @@
   - (djm) Trim deprecated options from INSTALL. Mention UsePAM
   - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu

-$Id: ChangeLog,v 1.3364 2004/05/24 00:35:14 dtucker Exp $
+$Id: ChangeLog,v 1.3365 2004/05/24 00:36:23 dtucker Exp $
--- a/auth.c
+++ b/auth.c
@ -23,7 +23,7 @@
 */

 #include "includes.h"
-RCSID("$OpenBSD: auth.c,v 1.53 2004/05/11 19:01:43 deraadt Exp $");
+RCSID("$OpenBSD: auth.c,v 1.54 2004/05/23 23:59:53 dtucker Exp $");

 #ifdef HAVE_LOGIN_H
 #include <login.h>
@ -242,7 +242,7 @@ auth_log(Authctxt *authctxt, int authenticated, char *method, char *info)
 	/* Raise logging level */
 	if (authenticated == 1 ||
 	    !authctxt->valid ||
-	    authctxt->failures >= AUTH_FAIL_LOG ||
+	    authctxt->failures >= options.max_authtries / 2 ||
 	    strcmp(method, "password") == 0)
 		authlog = logit;

--- a/auth.h
+++ b/auth.h
@ -1,4 +1,4 @@
-/*	$OpenBSD: auth.h,v 1.49 2004/01/30 09:48:57 markus Exp $	*/
+/*	$OpenBSD: auth.h,v 1.50 2004/05/23 23:59:53 dtucker Exp $	*/

 /*
 * Copyright (c) 2000 Markus Friedl.  All rights reserved.
@ -181,8 +181,6 @@ void	 auth_debug_reset(void);

 struct passwd *fakepw(void);

-#define AUTH_FAIL_MAX 6
-#define AUTH_FAIL_LOG (AUTH_FAIL_MAX/2)
 #define AUTH_FAIL_MSG "Too many authentication failures for %.100s"

 #define SKEY_PROMPT "\nS/Key Password: "
--- a/auth1.c
+++ b/auth1.c
@ -10,7 +10,7 @@
 */

 #include "includes.h"
-RCSID("$OpenBSD: auth1.c,v 1.56 2004/05/09 01:19:27 djm Exp $");
+RCSID("$OpenBSD: auth1.c,v 1.57 2004/05/23 23:59:53 dtucker Exp $");

 #include "xmalloc.h"
 #include "rsa.h"
@ -261,7 +261,7 @@ do_authloop(Authctxt *authctxt)
 		if (authenticated)
 			return;

-		if (authctxt->failures++ > AUTH_FAIL_MAX)
+		if (authctxt->failures++ > options.max_authtries)
 			packet_disconnect(AUTH_FAIL_MSG, authctxt->user);

 		packet_start(SSH_SMSG_FAILURE);
--- a/auth2.c
+++ b/auth2.c
@ -23,7 +23,7 @@
 */

 #include "includes.h"
-RCSID("$OpenBSD: auth2.c,v 1.104 2003/11/04 08:54:09 djm Exp $");
+RCSID("$OpenBSD: auth2.c,v 1.105 2004/05/23 23:59:53 dtucker Exp $");

 #include "ssh2.h"
 #include "xmalloc.h"
@ -243,7 +243,7 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
 		/* now we can break out */
 		authctxt->success = 1;
 	} else {
-		if (authctxt->failures++ > AUTH_FAIL_MAX)
+		if (authctxt->failures++ > options.max_authtries)
 			packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
 		methods = authmethods_get();
 		packet_start(SSH2_MSG_USERAUTH_FAILURE);
--- a/servconf.c
+++ b/servconf.c
@ -10,7 +10,7 @@
 */

 #include "includes.h"
-RCSID("$OpenBSD: servconf.c,v 1.132 2004/05/08 00:01:37 deraadt Exp $");
+RCSID("$OpenBSD: servconf.c,v 1.133 2004/05/23 23:59:53 dtucker Exp $");

 #include "ssh.h"
 #include "log.h"
@ -94,6 +94,7 @@ initialize_server_options(ServerOptions *options)
 	options->max_startups_begin = -1;
 	options->max_startups_rate = -1;
 	options->max_startups = -1;
+	options->max_authtries = -1;
 	options->banner = NULL;
 	options->use_dns = -1;
 	options->client_alive_interval = -1;
@ -212,6 +213,8 @@ fill_default_server_options(ServerOptions *options)
 		options->max_startups_rate = 100;		/* 100% */
 	if (options->max_startups_begin == -1)
 		options->max_startups_begin = options->max_startups;
+	if (options->max_authtries == -1)
+		options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
 	if (options->use_dns == -1)
 		options->use_dns = 1;
 	if (options->client_alive_interval == -1)
@ -262,7 +265,8 @@ typedef enum {
 	sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
 	sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
 	sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
-	sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
+	sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
+	sMaxStartups, sMaxAuthTries,
 	sBanner, sUseDNS, sHostbasedAuthentication,
 	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
 	sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
@ -357,6 +361,7 @@ static struct {
 	{ "gatewayports", sGatewayPorts },
 	{ "subsystem", sSubsystem },
 	{ "maxstartups", sMaxStartups },
+	{ "maxauthtries", sMaxAuthTries },
 	{ "banner", sBanner },
 	{ "usedns", sUseDNS },
 	{ "verifyreversemapping", sDeprecated },
@ -869,6 +874,10 @@ parse_flag:
 			options->max_startups = options->max_startups_begin;
 		break;

+	case sMaxAuthTries:
+		intptr = &options->max_authtries;
+		goto parse_int;
+
 	case sBanner:
 		charptr = &options->banner;
 		goto parse_filename;
--- a/servconf.h
+++ b/servconf.h
@ -1,4 +1,4 @@
-/*	$OpenBSD: servconf.h,v 1.68 2004/04/27 09:46:37 djm Exp $	*/
+/*	$OpenBSD: servconf.h,v 1.69 2004/05/23 23:59:53 dtucker Exp $	*/

 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -33,6 +33,7 @@
 #define	PERMIT_NO_PASSWD	2
 #define	PERMIT_YES		3

+#define DEFAULT_AUTH_FAIL_MAX	6	/* Default for MaxAuthTries */

 typedef struct {
 	u_int num_ports;
@ -114,6 +115,7 @@ typedef struct {
 	int	max_startups_begin;
 	int	max_startups_rate;
 	int	max_startups;
+	int	max_authtries;
 	char   *banner;			/* SSH-2 banner message */
 	int	use_dns;
 	int	client_alive_interval;	/*
--- a/3
+++ b/3
@ -1,4 +1,4 @@
-#	$OpenBSD: sshd_config,v 1.68 2003/12/29 16:39:50 millert Exp $
+#	$OpenBSD: sshd_config,v 1.69 2004/05/23 23:59:53 dtucker Exp $

 # This is the sshd server system-wide configuration file.  See
 # sshd_config(5) for more information.
@ -35,6 +35,7 @@
 #LoginGraceTime 2m
 #PermitRootLogin yes
 #StrictModes yes
+#MaxAuthTries 6

 #RSAAuthentication yes
 #PubkeyAuthentication yes
--- a/sshd_config.5
+++ b/sshd_config.5
@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.32 2004/04/28 07:02:56 jmc Exp $
+.\" $OpenBSD: sshd_config.5,v 1.33 2004/05/23 23:59:53 dtucker Exp $
 .Dd September 25, 1999
 .Dt SSHD_CONFIG 5
 .Os
@ -402,6 +402,10 @@ for data integrity protection.
 Multiple algorithms must be comma-separated.
 The default is
 .Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 .
+.It Cm MaxAuthTries
+Specifies the maximum number of authentication attempts permitted per
+connection.  Once the number of failures reaches half this value, additional
+failures are logged.  The default is 6.
 .It Cm MaxStartups
 Specifies the maximum number of concurrent unauthenticated connections to the
 .Nm sshd