diff options
author | djm <djm> | 2008-07-04 23:44:53 +0000 |
---|---|---|
committer | djm <djm> | 2008-07-04 23:44:53 +0000 |
commit | 07de296d34ba951cd787411d350aefb997457fe2 (patch) | |
tree | 4b8115cde4329ca590eb6fe69386e349b261d64b | |
parent | ca1ffcdb1060e5d59a0c9e9e4a05547da8082153 (diff) | |
download | openssh-07de296d34ba951cd787411d350aefb997457fe2.tar.gz |
- djm@cvs.openbsd.org 2008/07/04 23:30:16
[auth1.c auth2.c]
Make protocol 1 MaxAuthTries logic match protocol 2's.
Do not treat the first protocol 2 authentication attempt as
a failure IFF it is for method "none".
Makes MaxAuthTries' user-visible behaviour identical for
protocol 1 vs 2.
ok dtucker@
-rw-r--r-- | ChangeLog | 10 | ||||
-rw-r--r-- | auth1.c | 6 | ||||
-rw-r--r-- | auth2.c | 9 |
3 files changed, 20 insertions, 5 deletions
@@ -9,6 +9,14 @@ - djm@cvs.openbsd.org 2008/07/04 23:08:25 [packet.c] handle EINTR in packet_write_poll()l ok dtucker@ + - djm@cvs.openbsd.org 2008/07/04 23:30:16 + [auth1.c auth2.c] + Make protocol 1 MaxAuthTries logic match protocol 2's. + Do not treat the first protocol 2 authentication attempt as + a failure IFF it is for method "none". + Makes MaxAuthTries' user-visible behaviour identical for + protocol 1 vs 2. + ok dtucker@ 20080704 - (dtucker) OpenBSD CVS Sync @@ -4582,4 +4590,4 @@ OpenServer 6 and add osr5bigcrypt support so when someone migrates passwords between UnixWare and OpenServer they will still work. OK dtucker@ -$Id: ChangeLog,v 1.5061 2008/07/04 23:40:56 djm Exp $ +$Id: ChangeLog,v 1.5062 2008/07/04 23:44:53 djm Exp $ @@ -1,4 +1,4 @@ -/* $OpenBSD: auth1.c,v 1.72 2008/05/08 12:02:23 djm Exp $ */ +/* $OpenBSD: auth1.c,v 1.73 2008/07/04 23:30:16 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * All rights reserved @@ -284,6 +284,8 @@ do_authloop(Authctxt *authctxt) type != SSH_CMSG_AUTH_TIS_RESPONSE) abandon_challenge_response(authctxt); + if (authctxt->failures >= options.max_authtries) + goto skip; if ((meth = lookup_authmethod1(type)) == NULL) { logit("Unknown message during authentication: " "type %d", type); @@ -368,7 +370,7 @@ do_authloop(Authctxt *authctxt) if (authenticated) return; - if (authctxt->failures++ > options.max_authtries) { + if (++authctxt->failures >= options.max_authtries) { #ifdef SSH_AUDIT_EVENTS PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES)); #endif @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2.c,v 1.118 2008/07/02 13:30:34 djm Exp $ */ +/* $OpenBSD: auth2.c,v 1.119 2008/07/04 23:30:16 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -36,6 +36,7 @@ #include <unistd.h> #include "xmalloc.h" +#include "atomicio.h" #include "ssh2.h" #include "packet.h" #include "log.h" @@ -333,7 +334,11 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method) /* now we can break out */ authctxt->success = 1; } else { - if (++authctxt->failures >= options.max_authtries) { + + /* Allow initial try of "none" auth without failure penalty */ + if (authctxt->attempt > 1 || strcmp(method, "none") != 0) + authctxt->failures++; + if (authctxt->failures >= options.max_authtries) { #ifdef SSH_AUDIT_EVENTS PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES)); #endif |