diff --git a/ChangeLog b/ChangeLog index ff05bc462..9ce0adb09 100644 --- a/ChangeLog +++ b/ChangeLog @@ -21,6 +21,9 @@ - jmc@cvs.openbsd.org 2004/05/22 16:01:05 [ssh.1] kill whitespace at eol; + - dtucker@cvs.openbsd.org 2004/05/23 23:59:53 + [auth.c auth.h auth1.c auth2.c servconf.c servconf.h sshd_config sshd_config.5] + Add MaxAuthTries sshd config option; ok markus@ 20040523 - (djm) [sshd_config] Explain consequences of UsePAM=yes a little better in @@ -1150,4 +1153,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3364 2004/05/24 00:35:14 dtucker Exp $ +$Id: ChangeLog,v 1.3365 2004/05/24 00:36:23 dtucker Exp $ diff --git a/auth.c b/auth.c index 4f93ce5ae..ef3cdba3c 100644 --- a/auth.c +++ b/auth.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth.c,v 1.53 2004/05/11 19:01:43 deraadt Exp $"); +RCSID("$OpenBSD: auth.c,v 1.54 2004/05/23 23:59:53 dtucker Exp $"); #ifdef HAVE_LOGIN_H #include @@ -242,7 +242,7 @@ auth_log(Authctxt *authctxt, int authenticated, char *method, char *info) /* Raise logging level */ if (authenticated == 1 || !authctxt->valid || - authctxt->failures >= AUTH_FAIL_LOG || + authctxt->failures >= options.max_authtries / 2 || strcmp(method, "password") == 0) authlog = logit; diff --git a/auth.h b/auth.h index 3a7d222ef..2f094403d 100644 --- a/auth.h +++ b/auth.h @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.h,v 1.49 2004/01/30 09:48:57 markus Exp $ */ +/* $OpenBSD: auth.h,v 1.50 2004/05/23 23:59:53 dtucker Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -181,8 +181,6 @@ void auth_debug_reset(void); struct passwd *fakepw(void); -#define AUTH_FAIL_MAX 6 -#define AUTH_FAIL_LOG (AUTH_FAIL_MAX/2) #define AUTH_FAIL_MSG "Too many authentication failures for %.100s" #define SKEY_PROMPT "\nS/Key Password: " diff --git a/auth1.c b/auth1.c index 376007a05..471f27172 100644 --- a/auth1.c +++ b/auth1.c @@ -10,7 +10,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth1.c,v 1.56 2004/05/09 01:19:27 djm Exp $"); +RCSID("$OpenBSD: auth1.c,v 1.57 2004/05/23 23:59:53 dtucker Exp $"); #include "xmalloc.h" #include "rsa.h" @@ -261,7 +261,7 @@ do_authloop(Authctxt *authctxt) if (authenticated) return; - if (authctxt->failures++ > AUTH_FAIL_MAX) + if (authctxt->failures++ > options.max_authtries) packet_disconnect(AUTH_FAIL_MSG, authctxt->user); packet_start(SSH_SMSG_FAILURE); diff --git a/auth2.c b/auth2.c index 1177efa73..e4a3cded9 100644 --- a/auth2.c +++ b/auth2.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth2.c,v 1.104 2003/11/04 08:54:09 djm Exp $"); +RCSID("$OpenBSD: auth2.c,v 1.105 2004/05/23 23:59:53 dtucker Exp $"); #include "ssh2.h" #include "xmalloc.h" @@ -243,7 +243,7 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method) /* now we can break out */ authctxt->success = 1; } else { - if (authctxt->failures++ > AUTH_FAIL_MAX) + if (authctxt->failures++ > options.max_authtries) packet_disconnect(AUTH_FAIL_MSG, authctxt->user); methods = authmethods_get(); packet_start(SSH2_MSG_USERAUTH_FAILURE); diff --git a/servconf.c b/servconf.c index 467ad64e8..ef8651651 100644 --- a/servconf.c +++ b/servconf.c @@ -10,7 +10,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: servconf.c,v 1.132 2004/05/08 00:01:37 deraadt Exp $"); +RCSID("$OpenBSD: servconf.c,v 1.133 2004/05/23 23:59:53 dtucker Exp $"); #include "ssh.h" #include "log.h" @@ -94,6 +94,7 @@ initialize_server_options(ServerOptions *options) options->max_startups_begin = -1; options->max_startups_rate = -1; options->max_startups = -1; + options->max_authtries = -1; options->banner = NULL; options->use_dns = -1; options->client_alive_interval = -1; @@ -212,6 +213,8 @@ fill_default_server_options(ServerOptions *options) options->max_startups_rate = 100; /* 100% */ if (options->max_startups_begin == -1) options->max_startups_begin = options->max_startups; + if (options->max_authtries == -1) + options->max_authtries = DEFAULT_AUTH_FAIL_MAX; if (options->use_dns == -1) options->use_dns = 1; if (options->client_alive_interval == -1) @@ -262,7 +265,8 @@ typedef enum { sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, - sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups, + sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, + sMaxStartups, sMaxAuthTries, sBanner, sUseDNS, sHostbasedAuthentication, sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, @@ -357,6 +361,7 @@ static struct { { "gatewayports", sGatewayPorts }, { "subsystem", sSubsystem }, { "maxstartups", sMaxStartups }, + { "maxauthtries", sMaxAuthTries }, { "banner", sBanner }, { "usedns", sUseDNS }, { "verifyreversemapping", sDeprecated }, @@ -869,6 +874,10 @@ parse_flag: options->max_startups = options->max_startups_begin; break; + case sMaxAuthTries: + intptr = &options->max_authtries; + goto parse_int; + case sBanner: charptr = &options->banner; goto parse_filename; diff --git a/servconf.h b/servconf.h index 1c6296acc..36d2e5ca6 100644 --- a/servconf.h +++ b/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.68 2004/04/27 09:46:37 djm Exp $ */ +/* $OpenBSD: servconf.h,v 1.69 2004/05/23 23:59:53 dtucker Exp $ */ /* * Author: Tatu Ylonen @@ -33,6 +33,7 @@ #define PERMIT_NO_PASSWD 2 #define PERMIT_YES 3 +#define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */ typedef struct { u_int num_ports; @@ -114,6 +115,7 @@ typedef struct { int max_startups_begin; int max_startups_rate; int max_startups; + int max_authtries; char *banner; /* SSH-2 banner message */ int use_dns; int client_alive_interval; /* diff --git a/sshd_config b/sshd_config index 2b8d9f695..65e6f1c32 100644 --- a/sshd_config +++ b/sshd_config @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.68 2003/12/29 16:39:50 millert Exp $ +# $OpenBSD: sshd_config,v 1.69 2004/05/23 23:59:53 dtucker Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -35,6 +35,7 @@ #LoginGraceTime 2m #PermitRootLogin yes #StrictModes yes +#MaxAuthTries 6 #RSAAuthentication yes #PubkeyAuthentication yes diff --git a/sshd_config.5 b/sshd_config.5 index 05558c569..8edaf030c 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.32 2004/04/28 07:02:56 jmc Exp $ +.\" $OpenBSD: sshd_config.5,v 1.33 2004/05/23 23:59:53 dtucker Exp $ .Dd September 25, 1999 .Dt SSHD_CONFIG 5 .Os @@ -402,6 +402,10 @@ for data integrity protection. Multiple algorithms must be comma-separated. The default is .Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 . +.It Cm MaxAuthTries +Specifies the maximum number of authentication attempts permitted per +connection. Once the number of failures reaches half this value, additional +failures are logged. The default is 6. .It Cm MaxStartups Specifies the maximum number of concurrent unauthenticated connections to the .Nm sshd