Attachment 382 Details for Bug 561 – Implement MaxAuthTries, patch against OpenBSD.

[patch] Implement MaxAuthTries, patch against OpenBSD.

openbsd-maxauthtries.patch (text/plain), 5.01 KB, created by Darren Tucker on 2003-09-05 15:00:55 AEST

(hide)

Description:

Filename:

MIME Type:

Creator: Darren Tucker

Created: 2003-09-05 15:00:55 AEST

Size: 5.01 KB

patch

obsolete

>? scard/Ssh.bin
>? scp/scp
>? scp/scp.cat1
>? sftp/sftp
>? sftp/sftp.cat1
>? sftp-server/sftp-server
>? sftp-server/sftp-server.cat8
>? ssh/ssh
>? ssh/ssh.cat1
>? ssh/ssh_config.cat5
>? ssh-add/ssh-add
>? ssh-add/ssh-add.cat1
>? ssh-agent/ssh-agent
>? ssh-agent/ssh-agent.cat1
>? ssh-keygen/ssh-keygen
>? ssh-keygen/ssh-keygen.cat1
>? ssh-keyscan/ssh-keyscan
>? ssh-keyscan/ssh-keyscan.cat1
>? ssh-keysign/ssh-keysign
>? ssh-keysign/ssh-keysign.cat8
>? sshd/sshd
>? sshd/sshd.cat8
>? sshd/sshd_config.cat5
>Index: auth.c
>===================================================================
>RCS file: /cvs/src/usr.bin/ssh/auth.c,v
>retrieving revision 1.49
>diff -u -p -r1.49 auth.c
>--- auth.c	2003/08/26 09:58:43	1.49
>+++ auth.c	2003/09/05 05:02:16
>@@ -170,7 +170,7 @@ auth_log(Authctxt *authctxt, int authent
> 	/* Raise logging level */
> 	if (authenticated == 1 ||
> 	    !authctxt->valid ||
>-	    authctxt->failures >= AUTH_FAIL_LOG ||
>+	    authctxt->failures >= options.max_authtries / 2 ||
> 	    strcmp(method, "password") == 0)
> 		authlog = logit;
> 
>Index: auth.h
>===================================================================
>RCS file: /cvs/src/usr.bin/ssh/auth.h,v
>retrieving revision 1.46
>diff -u -p -r1.46 auth.h
>--- auth.h	2003/08/28 12:54:34	1.46
>+++ auth.h	2003/09/05 05:02:16
>@@ -172,8 +172,6 @@ void	 auth_debug_reset(void);
> 
> struct passwd *fakepw(void);
> 
>-#define AUTH_FAIL_MAX 6
>-#define AUTH_FAIL_LOG (AUTH_FAIL_MAX/2)
> #define AUTH_FAIL_MSG "Too many authentication failures for %.100s"
> 
> #define SKEY_PROMPT "\nS/Key Password: "
>Index: auth1.c
>===================================================================
>RCS file: /cvs/src/usr.bin/ssh/auth1.c,v
>retrieving revision 1.52
>diff -u -p -r1.52 auth1.c
>--- auth1.c	2003/08/28 12:54:34	1.52
>+++ auth1.c	2003/09/05 05:02:16
>@@ -222,7 +222,7 @@ do_authloop(Authctxt *authctxt)
> 		if (authenticated)
> 			return;
> 
>-		if (authctxt->failures++ > AUTH_FAIL_MAX)
>+		if (authctxt->failures++ > options.max_authtries)
> 			packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
> 
> 		packet_start(SSH_SMSG_FAILURE);
>Index: auth2.c
>===================================================================
>RCS file: /cvs/src/usr.bin/ssh/auth2.c,v
>retrieving revision 1.102
>diff -u -p -r1.102 auth2.c
>--- auth2.c	2003/08/26 09:58:43	1.102
>+++ auth2.c	2003/09/05 05:02:16
>@@ -232,7 +232,7 @@ userauth_finish(Authctxt *authctxt, int 
> 		/* now we can break out */
> 		authctxt->success = 1;
> 	} else {
>-		if (authctxt->failures++ > AUTH_FAIL_MAX)
>+		if (authctxt->failures++ > options.max_authtries)
> 			packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
> 		methods = authmethods_get();
> 		packet_start(SSH2_MSG_USERAUTH_FAILURE);
>Index: servconf.c
>===================================================================
>RCS file: /cvs/src/usr.bin/ssh/servconf.c,v
>retrieving revision 1.127
>diff -u -p -r1.127 servconf.c
>--- servconf.c	2003/09/01 18:15:50	1.127
>+++ servconf.c	2003/09/05 05:02:17
>@@ -89,6 +89,7 @@ initialize_server_options(ServerOptions 
> 	options->max_startups_begin = -1;
> 	options->max_startups_rate = -1;
> 	options->max_startups = -1;
>+	options->max_authtries = -1;
> 	options->banner = NULL;
> 	options->use_dns = -1;
> 	options->client_alive_interval = -1;
>@@ -199,6 +200,8 @@ fill_default_server_options(ServerOption
> 		options->max_startups_rate = 100;		/* 100% */
> 	if (options->max_startups_begin == -1)
> 		options->max_startups_begin = options->max_startups;
>+	if (options->max_authtries == -1)
>+		options->max_authtries = 6;
> 	if (options->use_dns == -1)
> 		options->use_dns = 1;
> 	if (options->client_alive_interval == -1)
>@@ -235,7 +238,8 @@ typedef enum {
> 	sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
> 	sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
> 	sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
>-	sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
>+	sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
>+	sMaxStartups, sMaxAuthTries,
> 	sBanner, sUseDNS, sHostbasedAuthentication,
> 	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
> 	sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
>@@ -315,6 +319,7 @@ static struct {
> 	{ "gatewayports", sGatewayPorts },
> 	{ "subsystem", sSubsystem },
> 	{ "maxstartups", sMaxStartups },
>+	{ "maxauthtries", sMaxAuthTries },
> 	{ "banner", sBanner },
> 	{ "usedns", sUseDNS },
> 	{ "verifyreversemapping", sDeprecated },
>@@ -815,6 +820,10 @@ parse_flag:
> 		else
> 			options->max_startups = options->max_startups_begin;
> 		break;
>+
>+	case sMaxAuthTries:
>+		intptr = &options->max_authtries;
>+		goto parse_int;
> 
> 	case sBanner:
> 		charptr = &options->banner;
>Index: servconf.h
>===================================================================
>RCS file: /cvs/src/usr.bin/ssh/servconf.h,v
>retrieving revision 1.65
>diff -u -p -r1.65 servconf.h
>--- servconf.h	2003/09/01 18:15:50	1.65
>+++ servconf.h	2003/09/05 05:02:17
>@@ -108,6 +108,7 @@ typedef struct {
> 	int	max_startups_begin;
> 	int	max_startups_rate;
> 	int	max_startups;
>+	int	max_authtries;
> 	char   *banner;			/* SSH-2 banner message */
> 	int	use_dns;
> 	int	client_alive_interval;	/*

Actions: View | Diff

Attachments on bug 561: 382 | 623 | 636