tyler.durden
/
openssh-portable
mirror of https://github.com/PowerShell/openssh-portable.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

- dtucker@cvs.openbsd.org 2004/05/23 23:59:53 

[auth.c auth.h auth1.c auth2.c servconf.c servconf.h sshd_config sshd_config.5]
     Add MaxAuthTries sshd config option; ok markus@
This commit is contained in:
Darren Tucker 2004-05-24 10:36:23 +10:00
parent e534e12127
commit 89413dbafa
9 changed files with 32 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
ChangeLog
View File

@ -21,6 +21,9 @@
- jmc@cvs.openbsd.org 2004/05/22 16:01:05 - jmc@cvs.openbsd.org 2004/05/22 16:01:05
[ssh.1] [ssh.1]
kill whitespace at eol; kill whitespace at eol;
- dtucker@cvs.openbsd.org 2004/05/23 23:59:53
[auth.c auth.h auth1.c auth2.c servconf.c servconf.h sshd_config sshd_config.5]
Add MaxAuthTries sshd config option; ok markus@
20040523 20040523
- (djm) [sshd_config] Explain consequences of UsePAM=yes a little better in - (djm) [sshd_config] Explain consequences of UsePAM=yes a little better in
@ -1150,4 +1153,4 @@
- (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Trim deprecated options from INSTALL. Mention UsePAM
- (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
$Id: ChangeLog,v 1.3364 2004/05/24 00:35:14 dtucker Exp $ $Id: ChangeLog,v 1.3365 2004/05/24 00:36:23 dtucker Exp $

4
auth.c
View File

@ -23,7 +23,7 @@
*/ */
#include "includes.h" #include "includes.h"
RCSID("$OpenBSD: auth.c,v 1.53 2004/05/11 19:01:43 deraadt Exp $"); RCSID("$OpenBSD: auth.c,v 1.54 2004/05/23 23:59:53 dtucker Exp $");
#ifdef HAVE_LOGIN_H #ifdef HAVE_LOGIN_H
#include <login.h> #include <login.h>
@ -242,7 +242,7 @@ auth_log(Authctxt *authctxt, int authenticated, char *method, char *info)
/* Raise logging level */ /* Raise logging level */
if (authenticated == 1 || if (authenticated == 1 ||
!authctxt->valid || !authctxt->valid ||
authctxt->failures >= AUTH_FAIL_LOG || authctxt->failures >= options.max_authtries / 2 ||
strcmp(method, "password") == 0) strcmp(method, "password") == 0)
authlog = logit; authlog = logit;

4
auth.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: auth.h,v 1.49 2004/01/30 09:48:57 markus Exp $ */ /* $OpenBSD: auth.h,v 1.50 2004/05/23 23:59:53 dtucker Exp $ */
/* /*
* Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2000 Markus Friedl. All rights reserved.
@ -181,8 +181,6 @@ void auth_debug_reset(void);
struct passwd *fakepw(void); struct passwd *fakepw(void);
#define AUTH_FAIL_MAX 6
#define AUTH_FAIL_LOG (AUTH_FAIL_MAX/2)
#define AUTH_FAIL_MSG "Too many authentication failures for %.100s" #define AUTH_FAIL_MSG "Too many authentication failures for %.100s"
#define SKEY_PROMPT "\nS/Key Password: " #define SKEY_PROMPT "\nS/Key Password: "

4
auth1.c
View File

@ -10,7 +10,7 @@
*/ */
#include "includes.h" #include "includes.h"
RCSID("$OpenBSD: auth1.c,v 1.56 2004/05/09 01:19:27 djm Exp $"); RCSID("$OpenBSD: auth1.c,v 1.57 2004/05/23 23:59:53 dtucker Exp $");
#include "xmalloc.h" #include "xmalloc.h"
#include "rsa.h" #include "rsa.h"
@ -261,7 +261,7 @@ do_authloop(Authctxt *authctxt)
if (authenticated) if (authenticated)
return; return;
if (authctxt->failures++ > AUTH_FAIL_MAX) if (authctxt->failures++ > options.max_authtries)
packet_disconnect(AUTH_FAIL_MSG, authctxt->user); packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
packet_start(SSH_SMSG_FAILURE); packet_start(SSH_SMSG_FAILURE);

4
auth2.c
View File

@ -23,7 +23,7 @@
*/ */
#include "includes.h" #include "includes.h"
RCSID("$OpenBSD: auth2.c,v 1.104 2003/11/04 08:54:09 djm Exp $"); RCSID("$OpenBSD: auth2.c,v 1.105 2004/05/23 23:59:53 dtucker Exp $");
#include "ssh2.h" #include "ssh2.h"
#include "xmalloc.h" #include "xmalloc.h"
@ -243,7 +243,7 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
/* now we can break out */ /* now we can break out */
authctxt->success = 1; authctxt->success = 1;
} else { } else {
if (authctxt->failures++ > AUTH_FAIL_MAX) if (authctxt->failures++ > options.max_authtries)
packet_disconnect(AUTH_FAIL_MSG, authctxt->user); packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
methods = authmethods_get(); methods = authmethods_get();
packet_start(SSH2_MSG_USERAUTH_FAILURE); packet_start(SSH2_MSG_USERAUTH_FAILURE);

13
servconf.c
View File

@ -10,7 +10,7 @@
*/ */
#include "includes.h" #include "includes.h"
RCSID("$OpenBSD: servconf.c,v 1.132 2004/05/08 00:01:37 deraadt Exp $"); RCSID("$OpenBSD: servconf.c,v 1.133 2004/05/23 23:59:53 dtucker Exp $");
#include "ssh.h" #include "ssh.h"
#include "log.h" #include "log.h"
@ -94,6 +94,7 @@ initialize_server_options(ServerOptions *options)
options->max_startups_begin = -1; options->max_startups_begin = -1;
options->max_startups_rate = -1; options->max_startups_rate = -1;
options->max_startups = -1; options->max_startups = -1;
options->max_authtries = -1;
options->banner = NULL; options->banner = NULL;
options->use_dns = -1; options->use_dns = -1;
options->client_alive_interval = -1; options->client_alive_interval = -1;
@ -212,6 +213,8 @@ fill_default_server_options(ServerOptions *options)
options->max_startups_rate = 100; /* 100% */ options->max_startups_rate = 100; /* 100% */
if (options->max_startups_begin == -1) if (options->max_startups_begin == -1)
options->max_startups_begin = options->max_startups; options->max_startups_begin = options->max_startups;
if (options->max_authtries == -1)
options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
if (options->use_dns == -1) if (options->use_dns == -1)
options->use_dns = 1; options->use_dns = 1;
if (options->client_alive_interval == -1) if (options->client_alive_interval == -1)
@ -262,7 +265,8 @@ typedef enum {
sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups, sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
sMaxStartups, sMaxAuthTries,
sBanner, sUseDNS, sHostbasedAuthentication, sBanner, sUseDNS, sHostbasedAuthentication,
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
@ -357,6 +361,7 @@ static struct {
{ "gatewayports", sGatewayPorts }, { "gatewayports", sGatewayPorts },
{ "subsystem", sSubsystem }, { "subsystem", sSubsystem },
{ "maxstartups", sMaxStartups }, { "maxstartups", sMaxStartups },
{ "maxauthtries", sMaxAuthTries },
{ "banner", sBanner }, { "banner", sBanner },
{ "usedns", sUseDNS }, { "usedns", sUseDNS },
{ "verifyreversemapping", sDeprecated }, { "verifyreversemapping", sDeprecated },
@ -869,6 +874,10 @@ parse_flag:
options->max_startups = options->max_startups_begin; options->max_startups = options->max_startups_begin;
break; break;
case sMaxAuthTries:
intptr = &options->max_authtries;
goto parse_int;
case sBanner: case sBanner:
charptr = &options->banner; charptr = &options->banner;
goto parse_filename; goto parse_filename;

4
servconf.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: servconf.h,v 1.68 2004/04/27 09:46:37 djm Exp $ */ /* $OpenBSD: servconf.h,v 1.69 2004/05/23 23:59:53 dtucker Exp $ */
/* /*
* Author: Tatu Ylonen <ylo@cs.hut.fi> * Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -33,6 +33,7 @@
#define PERMIT_NO_PASSWD 2 #define PERMIT_NO_PASSWD 2
#define PERMIT_YES 3 #define PERMIT_YES 3
#define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */
typedef struct { typedef struct {
u_int num_ports; u_int num_ports;
@ -114,6 +115,7 @@ typedef struct {
int max_startups_begin; int max_startups_begin;
int max_startups_rate; int max_startups_rate;
int max_startups; int max_startups;
int max_authtries;
char *banner; /* SSH-2 banner message */ char *banner; /* SSH-2 banner message */
int use_dns; int use_dns;
int client_alive_interval; /* int client_alive_interval; /*

3
sshd_config
View File

@ -1,4 +1,4 @@
# $OpenBSD: sshd_config,v 1.68 2003/12/29 16:39:50 millert Exp $ # $OpenBSD: sshd_config,v 1.69 2004/05/23 23:59:53 dtucker Exp $
# This is the sshd server system-wide configuration file. See # This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information. # sshd_config(5) for more information.
@ -35,6 +35,7 @@
#LoginGraceTime 2m #LoginGraceTime 2m
#PermitRootLogin yes #PermitRootLogin yes
#StrictModes yes #StrictModes yes
#MaxAuthTries 6
#RSAAuthentication yes #RSAAuthentication yes
#PubkeyAuthentication yes #PubkeyAuthentication yes

6
sshd_config.5
View File

@ -34,7 +34,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\" .\"
.\" $OpenBSD: sshd_config.5,v 1.32 2004/04/28 07:02:56 jmc Exp $ .\" $OpenBSD: sshd_config.5,v 1.33 2004/05/23 23:59:53 dtucker Exp $
.Dd September 25, 1999 .Dd September 25, 1999
.Dt SSHD_CONFIG 5 .Dt SSHD_CONFIG 5
.Os .Os
@ -402,6 +402,10 @@ for data integrity protection.
Multiple algorithms must be comma-separated. Multiple algorithms must be comma-separated.
The default is The default is
.Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 . .Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 .
.It Cm MaxAuthTries
Specifies the maximum number of authentication attempts permitted per
connection. Once the number of failures reaches half this value, additional
failures are logged. The default is 6.
.It Cm MaxStartups .It Cm MaxStartups
Specifies the maximum number of concurrent unauthenticated connections to the Specifies the maximum number of concurrent unauthenticated connections to the
.Nm sshd .Nm sshd