diff options
| author | Darren Tucker <dtucker@cvs.openbsd.org> | 2004-05-23 23:59:54 +0000 |
|---|---|---|
| committer | Darren Tucker <dtucker@cvs.openbsd.org> | 2004-05-23 23:59:54 +0000 |
| commit | 61971900f6626ea5e57221d2e6eca4a6d655b278 (patch) | |
| tree | 60a4f1c5f3eb451b0ea155d6f6ed4aca080722ff | |
| parent | ad14f868f9139930b0b71354b055d2a67db29e7c (diff) | |
Add MaxAuthTries sshd config option; ok markus@
| -rw-r--r-- | usr.bin/ssh/auth.c | 4 | ||||
| -rw-r--r-- | usr.bin/ssh/auth.h | 4 | ||||
| -rw-r--r-- | usr.bin/ssh/auth1.c | 4 | ||||
| -rw-r--r-- | usr.bin/ssh/auth2.c | 4 | ||||
| -rw-r--r-- | usr.bin/ssh/servconf.c | 13 | ||||
| -rw-r--r-- | usr.bin/ssh/servconf.h | 4 | ||||
| -rw-r--r-- | usr.bin/ssh/sshd_config | 3 | ||||
| -rw-r--r-- | usr.bin/ssh/sshd_config.5 | 6 |
8 files changed, 28 insertions, 14 deletions
diff --git a/usr.bin/ssh/auth.c b/usr.bin/ssh/auth.c index 404e850c047..1b1b37ee1c4 100644 --- a/usr.bin/ssh/auth.c +++ b/usr.bin/ssh/auth.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth.c,v 1.53 2004/05/11 19:01:43 deraadt Exp $"); +RCSID("$OpenBSD: auth.c,v 1.54 2004/05/23 23:59:53 dtucker Exp $"); #include <libgen.h> @@ -161,7 +161,7 @@ auth_log(Authctxt *authctxt, int authenticated, char *method, char *info) /* Raise logging level */ if (authenticated == 1 || !authctxt->valid || - authctxt->failures >= AUTH_FAIL_LOG || + authctxt->failures >= options.max_authtries / 2 || strcmp(method, "password") == 0) authlog = logit; diff --git a/usr.bin/ssh/auth.h b/usr.bin/ssh/auth.h index e45137bdce8..816cc6a0bed 100644 --- a/usr.bin/ssh/auth.h +++ b/usr.bin/ssh/auth.h @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.h,v 1.49 2004/01/30 09:48:57 markus Exp $ */ +/* $OpenBSD: auth.h,v 1.50 2004/05/23 23:59:53 dtucker Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -170,8 +170,6 @@ void auth_debug_reset(void); struct passwd *fakepw(void); -#define AUTH_FAIL_MAX 6 -#define AUTH_FAIL_LOG (AUTH_FAIL_MAX/2) #define AUTH_FAIL_MSG "Too many authentication failures for %.100s" #define SKEY_PROMPT "\nS/Key Password: " diff --git a/usr.bin/ssh/auth1.c b/usr.bin/ssh/auth1.c index a02acc9b8ca..980f96c65ed 100644 --- a/usr.bin/ssh/auth1.c +++ b/usr.bin/ssh/auth1.c @@ -10,7 +10,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth1.c,v 1.56 2004/05/09 01:19:27 djm Exp $"); +RCSID("$OpenBSD: auth1.c,v 1.57 2004/05/23 23:59:53 dtucker Exp $"); #include "xmalloc.h" #include "rsa.h" @@ -220,7 +220,7 @@ do_authloop(Authctxt *authctxt) if (authenticated) return; - if (authctxt->failures++ > AUTH_FAIL_MAX) + if (authctxt->failures++ > options.max_authtries) packet_disconnect(AUTH_FAIL_MSG, authctxt->user); packet_start(SSH_SMSG_FAILURE); diff --git a/usr.bin/ssh/auth2.c b/usr.bin/ssh/auth2.c index d1a4a35bef1..92c6acf50e6 100644 --- a/usr.bin/ssh/auth2.c +++ b/usr.bin/ssh/auth2.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth2.c,v 1.104 2003/11/04 08:54:09 djm Exp $"); +RCSID("$OpenBSD: auth2.c,v 1.105 2004/05/23 23:59:53 dtucker Exp $"); #include "ssh2.h" #include "xmalloc.h" @@ -223,7 +223,7 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method) /* now we can break out */ authctxt->success = 1; } else { - if (authctxt->failures++ > AUTH_FAIL_MAX) + if (authctxt->failures++ > options.max_authtries) packet_disconnect(AUTH_FAIL_MSG, authctxt->user); methods = authmethods_get(); packet_start(SSH2_MSG_USERAUTH_FAILURE); diff --git a/usr.bin/ssh/servconf.c b/usr.bin/ssh/servconf.c index e605d361387..c82458a6818 100644 --- a/usr.bin/ssh/servconf.c +++ b/usr.bin/ssh/servconf.c @@ -10,7 +10,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: servconf.c,v 1.132 2004/05/08 00:01:37 deraadt Exp $"); +RCSID("$OpenBSD: servconf.c,v 1.133 2004/05/23 23:59:53 dtucker Exp $"); #include "ssh.h" #include "log.h" @@ -89,6 +89,7 @@ initialize_server_options(ServerOptions *options) options->max_startups_begin = -1; options->max_startups_rate = -1; options->max_startups = -1; + options->max_authtries = -1; options->banner = NULL; options->use_dns = -1; options->client_alive_interval = -1; @@ -202,6 +203,8 @@ fill_default_server_options(ServerOptions *options) options->max_startups_rate = 100; /* 100% */ if (options->max_startups_begin == -1) options->max_startups_begin = options->max_startups; + if (options->max_authtries == -1) + options->max_authtries = DEFAULT_AUTH_FAIL_MAX; if (options->use_dns == -1) options->use_dns = 1; if (options->client_alive_interval == -1) @@ -239,7 +242,8 @@ typedef enum { sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, - sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups, + sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, + sMaxStartups, sMaxAuthTries, sBanner, sUseDNS, sHostbasedAuthentication, sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, @@ -322,6 +326,7 @@ static struct { { "gatewayports", sGatewayPorts }, { "subsystem", sSubsystem }, { "maxstartups", sMaxStartups }, + { "maxauthtries", sMaxAuthTries }, { "banner", sBanner }, { "usedns", sUseDNS }, { "verifyreversemapping", sDeprecated }, @@ -828,6 +833,10 @@ parse_flag: options->max_startups = options->max_startups_begin; break; + case sMaxAuthTries: + intptr = &options->max_authtries; + goto parse_int; + case sBanner: charptr = &options->banner; goto parse_filename; diff --git a/usr.bin/ssh/servconf.h b/usr.bin/ssh/servconf.h index 1a828243a94..42bc4a1dd3f 100644 --- a/usr.bin/ssh/servconf.h +++ b/usr.bin/ssh/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.68 2004/04/27 09:46:37 djm Exp $ */ +/* $OpenBSD: servconf.h,v 1.69 2004/05/23 23:59:53 dtucker Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> @@ -33,6 +33,7 @@ #define PERMIT_NO_PASSWD 2 #define PERMIT_YES 3 +#define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */ typedef struct { u_int num_ports; @@ -114,6 +115,7 @@ typedef struct { int max_startups_begin; int max_startups_rate; int max_startups; + int max_authtries; char *banner; /* SSH-2 banner message */ int use_dns; int client_alive_interval; /* diff --git a/usr.bin/ssh/sshd_config b/usr.bin/ssh/sshd_config index 123bb39d602..8c2758cac69 100644 --- a/usr.bin/ssh/sshd_config +++ b/usr.bin/ssh/sshd_config @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.68 2003/12/29 16:39:50 millert Exp $ +# $OpenBSD: sshd_config,v 1.69 2004/05/23 23:59:53 dtucker Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -33,6 +33,7 @@ #LoginGraceTime 2m #PermitRootLogin yes #StrictModes yes +#MaxAuthTries 6 #RSAAuthentication yes #PubkeyAuthentication yes diff --git a/usr.bin/ssh/sshd_config.5 b/usr.bin/ssh/sshd_config.5 index c07d5d62559..8305819efce 100644 --- a/usr.bin/ssh/sshd_config.5 +++ b/usr.bin/ssh/sshd_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.32 2004/04/28 07:02:56 jmc Exp $ +.\" $OpenBSD: sshd_config.5,v 1.33 2004/05/23 23:59:53 dtucker Exp $ .Dd September 25, 1999 .Dt SSHD_CONFIG 5 .Os @@ -402,6 +402,10 @@ for data integrity protection. Multiple algorithms must be comma-separated. The default is .Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 . +.It Cm MaxAuthTries +Specifies the maximum number of authentication attempts permitted per +connection. Once the number of failures reaches half this value, additional +failures are logged. The default is 6. .It Cm MaxStartups Specifies the maximum number of concurrent unauthenticated connections to the .Nm sshd |