summaryrefslogtreecommitdiff
path: root/usr.bin
diff options
context:
space:
mode:
authorDarren Tucker <dtucker@cvs.openbsd.org>2004-05-23 23:59:54 +0000
committerDarren Tucker <dtucker@cvs.openbsd.org>2004-05-23 23:59:54 +0000
commit61971900f6626ea5e57221d2e6eca4a6d655b278 (patch)
tree60a4f1c5f3eb451b0ea155d6f6ed4aca080722ff /usr.bin
parentad14f868f9139930b0b71354b055d2a67db29e7c (diff)
Add MaxAuthTries sshd config option; ok markus@
Diffstat (limited to 'usr.bin')
-rw-r--r--usr.bin/ssh/auth.c4
-rw-r--r--usr.bin/ssh/auth.h4
-rw-r--r--usr.bin/ssh/auth1.c4
-rw-r--r--usr.bin/ssh/auth2.c4
-rw-r--r--usr.bin/ssh/servconf.c13
-rw-r--r--usr.bin/ssh/servconf.h4
-rw-r--r--usr.bin/ssh/sshd_config3
-rw-r--r--usr.bin/ssh/sshd_config.56
8 files changed, 28 insertions, 14 deletions
diff --git a/usr.bin/ssh/auth.c b/usr.bin/ssh/auth.c
index 404e850c047..1b1b37ee1c4 100644
--- a/usr.bin/ssh/auth.c
+++ b/usr.bin/ssh/auth.c
@@ -23,7 +23,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: auth.c,v 1.53 2004/05/11 19:01:43 deraadt Exp $");
+RCSID("$OpenBSD: auth.c,v 1.54 2004/05/23 23:59:53 dtucker Exp $");
#include <libgen.h>
@@ -161,7 +161,7 @@ auth_log(Authctxt *authctxt, int authenticated, char *method, char *info)
/* Raise logging level */
if (authenticated == 1 ||
!authctxt->valid ||
- authctxt->failures >= AUTH_FAIL_LOG ||
+ authctxt->failures >= options.max_authtries / 2 ||
strcmp(method, "password") == 0)
authlog = logit;
diff --git a/usr.bin/ssh/auth.h b/usr.bin/ssh/auth.h
index e45137bdce8..816cc6a0bed 100644
--- a/usr.bin/ssh/auth.h
+++ b/usr.bin/ssh/auth.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth.h,v 1.49 2004/01/30 09:48:57 markus Exp $ */
+/* $OpenBSD: auth.h,v 1.50 2004/05/23 23:59:53 dtucker Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
@@ -170,8 +170,6 @@ void auth_debug_reset(void);
struct passwd *fakepw(void);
-#define AUTH_FAIL_MAX 6
-#define AUTH_FAIL_LOG (AUTH_FAIL_MAX/2)
#define AUTH_FAIL_MSG "Too many authentication failures for %.100s"
#define SKEY_PROMPT "\nS/Key Password: "
diff --git a/usr.bin/ssh/auth1.c b/usr.bin/ssh/auth1.c
index a02acc9b8ca..980f96c65ed 100644
--- a/usr.bin/ssh/auth1.c
+++ b/usr.bin/ssh/auth1.c
@@ -10,7 +10,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: auth1.c,v 1.56 2004/05/09 01:19:27 djm Exp $");
+RCSID("$OpenBSD: auth1.c,v 1.57 2004/05/23 23:59:53 dtucker Exp $");
#include "xmalloc.h"
#include "rsa.h"
@@ -220,7 +220,7 @@ do_authloop(Authctxt *authctxt)
if (authenticated)
return;
- if (authctxt->failures++ > AUTH_FAIL_MAX)
+ if (authctxt->failures++ > options.max_authtries)
packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
packet_start(SSH_SMSG_FAILURE);
diff --git a/usr.bin/ssh/auth2.c b/usr.bin/ssh/auth2.c
index d1a4a35bef1..92c6acf50e6 100644
--- a/usr.bin/ssh/auth2.c
+++ b/usr.bin/ssh/auth2.c
@@ -23,7 +23,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: auth2.c,v 1.104 2003/11/04 08:54:09 djm Exp $");
+RCSID("$OpenBSD: auth2.c,v 1.105 2004/05/23 23:59:53 dtucker Exp $");
#include "ssh2.h"
#include "xmalloc.h"
@@ -223,7 +223,7 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
/* now we can break out */
authctxt->success = 1;
} else {
- if (authctxt->failures++ > AUTH_FAIL_MAX)
+ if (authctxt->failures++ > options.max_authtries)
packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
methods = authmethods_get();
packet_start(SSH2_MSG_USERAUTH_FAILURE);
diff --git a/usr.bin/ssh/servconf.c b/usr.bin/ssh/servconf.c
index e605d361387..c82458a6818 100644
--- a/usr.bin/ssh/servconf.c
+++ b/usr.bin/ssh/servconf.c
@@ -10,7 +10,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: servconf.c,v 1.132 2004/05/08 00:01:37 deraadt Exp $");
+RCSID("$OpenBSD: servconf.c,v 1.133 2004/05/23 23:59:53 dtucker Exp $");
#include "ssh.h"
#include "log.h"
@@ -89,6 +89,7 @@ initialize_server_options(ServerOptions *options)
options->max_startups_begin = -1;
options->max_startups_rate = -1;
options->max_startups = -1;
+ options->max_authtries = -1;
options->banner = NULL;
options->use_dns = -1;
options->client_alive_interval = -1;
@@ -202,6 +203,8 @@ fill_default_server_options(ServerOptions *options)
options->max_startups_rate = 100; /* 100% */
if (options->max_startups_begin == -1)
options->max_startups_begin = options->max_startups;
+ if (options->max_authtries == -1)
+ options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
if (options->use_dns == -1)
options->use_dns = 1;
if (options->client_alive_interval == -1)
@@ -239,7 +242,8 @@ typedef enum {
sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
- sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
+ sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
+ sMaxStartups, sMaxAuthTries,
sBanner, sUseDNS, sHostbasedAuthentication,
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
@@ -322,6 +326,7 @@ static struct {
{ "gatewayports", sGatewayPorts },
{ "subsystem", sSubsystem },
{ "maxstartups", sMaxStartups },
+ { "maxauthtries", sMaxAuthTries },
{ "banner", sBanner },
{ "usedns", sUseDNS },
{ "verifyreversemapping", sDeprecated },
@@ -828,6 +833,10 @@ parse_flag:
options->max_startups = options->max_startups_begin;
break;
+ case sMaxAuthTries:
+ intptr = &options->max_authtries;
+ goto parse_int;
+
case sBanner:
charptr = &options->banner;
goto parse_filename;
diff --git a/usr.bin/ssh/servconf.h b/usr.bin/ssh/servconf.h
index 1a828243a94..42bc4a1dd3f 100644
--- a/usr.bin/ssh/servconf.h
+++ b/usr.bin/ssh/servconf.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.h,v 1.68 2004/04/27 09:46:37 djm Exp $ */
+/* $OpenBSD: servconf.h,v 1.69 2004/05/23 23:59:53 dtucker Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -33,6 +33,7 @@
#define PERMIT_NO_PASSWD 2
#define PERMIT_YES 3
+#define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */
typedef struct {
u_int num_ports;
@@ -114,6 +115,7 @@ typedef struct {
int max_startups_begin;
int max_startups_rate;
int max_startups;
+ int max_authtries;
char *banner; /* SSH-2 banner message */
int use_dns;
int client_alive_interval; /*
diff --git a/usr.bin/ssh/sshd_config b/usr.bin/ssh/sshd_config
index 123bb39d602..8c2758cac69 100644
--- a/usr.bin/ssh/sshd_config
+++ b/usr.bin/ssh/sshd_config
@@ -1,4 +1,4 @@
-# $OpenBSD: sshd_config,v 1.68 2003/12/29 16:39:50 millert Exp $
+# $OpenBSD: sshd_config,v 1.69 2004/05/23 23:59:53 dtucker Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
@@ -33,6 +33,7 @@
#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
+#MaxAuthTries 6
#RSAAuthentication yes
#PubkeyAuthentication yes
diff --git a/usr.bin/ssh/sshd_config.5 b/usr.bin/ssh/sshd_config.5
index c07d5d62559..8305819efce 100644
--- a/usr.bin/ssh/sshd_config.5
+++ b/usr.bin/ssh/sshd_config.5
@@ -34,7 +34,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd_config.5,v 1.32 2004/04/28 07:02:56 jmc Exp $
+.\" $OpenBSD: sshd_config.5,v 1.33 2004/05/23 23:59:53 dtucker Exp $
.Dd September 25, 1999
.Dt SSHD_CONFIG 5
.Os
@@ -402,6 +402,10 @@ for data integrity protection.
Multiple algorithms must be comma-separated.
The default is
.Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 .
+.It Cm MaxAuthTries
+Specifies the maximum number of authentication attempts permitted per
+connection. Once the number of failures reaches half this value, additional
+failures are logged. The default is 6.
.It Cm MaxStartups
Specifies the maximum number of concurrent unauthenticated connections to the
.Nm sshd