diff options
| author | Damien Miller <djm@cvs.openbsd.org> | 2008-07-04 23:30:17 +0000 |
|---|---|---|
| committer | Damien Miller <djm@cvs.openbsd.org> | 2008-07-04 23:30:17 +0000 |
| commit | 8cd231a952d89eb287c656da85ef6aa9a49b28bf (patch) | |
| tree | b441511d70b48740e6bf397539b732018a13286a | |
| parent | 7cccd8a1a4b783ae1933b6ae39fe7a9c4504ba61 (diff) | |
Make protocol 1 MaxAuthTries logic match protocol 2's.
Do not treat the first protocol 2 authentication attempt as
a failure IFF it is for method "none".
Makes MaxAuthTries' user-visible behaviour identical for
protocol 1 vs 2.
ok dtucker@
| -rw-r--r-- | usr.bin/ssh/auth1.c | 6 | ||||
| -rw-r--r-- | usr.bin/ssh/auth2.c | 7 |
2 files changed, 9 insertions, 4 deletions
diff --git a/usr.bin/ssh/auth1.c b/usr.bin/ssh/auth1.c index 3c6c3a6264c..bd4ea1b6333 100644 --- a/usr.bin/ssh/auth1.c +++ b/usr.bin/ssh/auth1.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth1.c,v 1.72 2008/05/08 12:02:23 djm Exp $ */ +/* $OpenBSD: auth1.c,v 1.73 2008/07/04 23:30:16 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * All rights reserved @@ -261,6 +261,8 @@ do_authloop(Authctxt *authctxt) /* Get a packet from the client. */ type = packet_read(); + if (authctxt->failures >= options.max_authtries) + goto skip; if ((meth = lookup_authmethod1(type)) == NULL) { logit("Unknown message during authentication: " "type %d", type); @@ -296,7 +298,7 @@ do_authloop(Authctxt *authctxt) if (authenticated) return; - if (authctxt->failures++ > options.max_authtries) + if (++authctxt->failures >= options.max_authtries) packet_disconnect(AUTH_FAIL_MSG, authctxt->user); packet_start(SSH_SMSG_FAILURE); diff --git a/usr.bin/ssh/auth2.c b/usr.bin/ssh/auth2.c index b1385d9a6d5..eea0434f9ec 100644 --- a/usr.bin/ssh/auth2.c +++ b/usr.bin/ssh/auth2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2.c,v 1.118 2008/07/02 13:30:34 djm Exp $ */ +/* $OpenBSD: auth2.c,v 1.119 2008/07/04 23:30:16 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -288,7 +288,10 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method) /* now we can break out */ authctxt->success = 1; } else { - if (++authctxt->failures >= options.max_authtries) + /* Allow initial try of "none" auth without failure penalty */ + if (authctxt->attempt > 1 || strcmp(method, "none") != 0) + authctxt->failures++; + if (authctxt->failures >= options.max_authtries) packet_disconnect(AUTH_FAIL_MSG, authctxt->user); methods = authmethods_get(); packet_start(SSH2_MSG_USERAUTH_FAILURE); |