tyler.durden
/
openssh-portable
mirror of https://github.com/PowerShell/openssh-portable.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

upstream commit 

Skip passwords longer than 1k in length so clients can't
easily DoS sshd by sending very long passwords, causing it to spend CPU
hashing them. feedback djm@, ok markus@.

Brought to our attention by tomas.kuthan at oracle.com, shilei-c at
360.cn and coredump at autistici.org

Upstream-ID: d0af7d4a2190b63ba1d38eec502bc4be0be9e333
This commit is contained in:
dtucker@openbsd.org 2016-07-21 01:39:35 +00:00 committed by Damien Miller
parent 324583e8fb
commit fcd135c9df
1 changed files with 6 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
auth-passwd.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: auth-passwd.c,v 1.44 2014/07/15 15:54:14 millert Exp $ */ /* $OpenBSD: auth-passwd.c,v 1.45 2016/07/21 01:39:35 dtucker Exp $ */
/* /*
* Author: Tatu Ylonen <ylo@cs.hut.fi> * Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -66,6 +66,8 @@ extern login_cap_t *lc;
#define DAY (24L * 60 * 60) /* 1 day in seconds */ #define DAY (24L * 60 * 60) /* 1 day in seconds */
#define TWO_WEEKS (2L * 7 * DAY) /* 2 weeks in seconds */ #define TWO_WEEKS (2L * 7 * DAY) /* 2 weeks in seconds */
#define MAX_PASSWORD_LEN 1024
void void
disable_forwarding(void) disable_forwarding(void)
{ {
@ -87,6 +89,9 @@ auth_password(Authctxt *authctxt, const char *password)
static int expire_checked = 0; static int expire_checked = 0;
#endif #endif
if (strlen(password) > MAX_PASSWORD_LEN)
return 0;
#ifndef HAVE_CYGWIN #ifndef HAVE_CYGWIN
if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
ok = 0; ok = 0;