Bugzilla – Attachment 636 Details for
Bug 561
Please implement MaxAuthTries
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Update patch to -current, add to example sshd_config
openbsd-maxauthtries.patch (text/plain), 6.40 KB, created by
Darren Tucker
on 2004-05-17 10:15:20 AEST
(
hide
)
Description:
Update patch to -current, add to example sshd_config
Filename:
MIME Type:
Creator:
Darren Tucker
Created:
2004-05-17 10:15:20 AEST
Size:
6.40 KB
patch
obsolete
>Index: auth.c >=================================================================== >RCS file: /cvs/src/usr.bin/ssh/auth.c,v >retrieving revision 1.53 >diff -u -p -r1.53 auth.c >--- auth.c 11 May 2004 19:01:43 -0000 1.53 >+++ auth.c 17 May 2004 00:14:11 -0000 >@@ -161,7 +161,7 @@ auth_log(Authctxt *authctxt, int authent > /* Raise logging level */ > if (authenticated == 1 || > !authctxt->valid || >- authctxt->failures >= AUTH_FAIL_LOG || >+ authctxt->failures >= options.max_authtries_log || > strcmp(method, "password") == 0) > authlog = logit; > >Index: auth.h >=================================================================== >RCS file: /cvs/src/usr.bin/ssh/auth.h,v >retrieving revision 1.49 >diff -u -p -r1.49 auth.h >--- auth.h 30 Jan 2004 09:48:57 -0000 1.49 >+++ auth.h 17 May 2004 00:14:11 -0000 >@@ -170,8 +170,6 @@ void auth_debug_reset(void); > > struct passwd *fakepw(void); > >-#define AUTH_FAIL_MAX 6 >-#define AUTH_FAIL_LOG (AUTH_FAIL_MAX/2) > #define AUTH_FAIL_MSG "Too many authentication failures for %.100s" > > #define SKEY_PROMPT "\nS/Key Password: " >Index: auth1.c >=================================================================== >RCS file: /cvs/src/usr.bin/ssh/auth1.c,v >retrieving revision 1.56 >diff -u -p -r1.56 auth1.c >--- auth1.c 9 May 2004 01:19:27 -0000 1.56 >+++ auth1.c 17 May 2004 00:14:11 -0000 >@@ -220,7 +220,7 @@ do_authloop(Authctxt *authctxt) > if (authenticated) > return; > >- if (authctxt->failures++ > AUTH_FAIL_MAX) >+ if (authctxt->failures++ > options.max_authtries) > packet_disconnect(AUTH_FAIL_MSG, authctxt->user); > > packet_start(SSH_SMSG_FAILURE); >Index: auth2.c >=================================================================== >RCS file: /cvs/src/usr.bin/ssh/auth2.c,v >retrieving revision 1.104 >diff -u -p -r1.104 auth2.c >--- auth2.c 4 Nov 2003 08:54:09 -0000 1.104 >+++ auth2.c 17 May 2004 00:14:11 -0000 >@@ -223,7 +223,7 @@ userauth_finish(Authctxt *authctxt, int > /* now we can break out */ > authctxt->success = 1; > } else { >- if (authctxt->failures++ > AUTH_FAIL_MAX) >+ if (authctxt->failures++ > options.max_authtries) > packet_disconnect(AUTH_FAIL_MSG, authctxt->user); > methods = authmethods_get(); > packet_start(SSH2_MSG_USERAUTH_FAILURE); >Index: servconf.c >=================================================================== >RCS file: /cvs/src/usr.bin/ssh/servconf.c,v >retrieving revision 1.132 >diff -u -p -r1.132 servconf.c >--- servconf.c 8 May 2004 00:01:37 -0000 1.132 >+++ servconf.c 17 May 2004 00:14:12 -0000 >@@ -89,6 +89,8 @@ initialize_server_options(ServerOptions > options->max_startups_begin = -1; > options->max_startups_rate = -1; > options->max_startups = -1; >+ options->max_authtries = -1; >+ options->max_authtries_log = -1; > options->banner = NULL; > options->use_dns = -1; > options->client_alive_interval = -1; >@@ -202,6 +204,10 @@ fill_default_server_options(ServerOption > options->max_startups_rate = 100; /* 100% */ > if (options->max_startups_begin == -1) > options->max_startups_begin = options->max_startups; >+ if (options->max_authtries == -1) >+ options->max_authtries = DEFAULT_AUTH_FAIL_MAX; >+ if (options->max_authtries_log == -1) >+ options->max_authtries_log = options->max_authtries / 2; > if (options->use_dns == -1) > options->use_dns = 1; > if (options->client_alive_interval == -1) >@@ -239,7 +245,8 @@ typedef enum { > sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, > sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, > sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, >- sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups, >+ sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, >+ sMaxStartups, sMaxAuthTries, sMaxAuthTriesLog, > sBanner, sUseDNS, sHostbasedAuthentication, > sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, > sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, >@@ -322,6 +329,8 @@ static struct { > { "gatewayports", sGatewayPorts }, > { "subsystem", sSubsystem }, > { "maxstartups", sMaxStartups }, >+ { "maxauthtries", sMaxAuthTries }, >+ { "maxauthtrieslog", sMaxAuthTriesLog }, > { "banner", sBanner }, > { "usedns", sUseDNS }, > { "verifyreversemapping", sDeprecated }, >@@ -827,6 +836,14 @@ parse_flag: > else > options->max_startups = options->max_startups_begin; > break; >+ >+ case sMaxAuthTries: >+ intptr = &options->max_authtries; >+ goto parse_int; >+ >+ case sMaxAuthTriesLog: >+ intptr = &options->max_authtries_log; >+ goto parse_int; > > case sBanner: > charptr = &options->banner; >Index: servconf.h >=================================================================== >RCS file: /cvs/src/usr.bin/ssh/servconf.h,v >retrieving revision 1.68 >diff -u -p -r1.68 servconf.h >--- servconf.h 27 Apr 2004 09:46:37 -0000 1.68 >+++ servconf.h 17 May 2004 00:14:12 -0000 >@@ -33,6 +33,7 @@ > #define PERMIT_NO_PASSWD 2 > #define PERMIT_YES 3 > >+#define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */ > > typedef struct { > u_int num_ports; >@@ -114,6 +115,8 @@ typedef struct { > int max_startups_begin; > int max_startups_rate; > int max_startups; >+ int max_authtries; >+ int max_authtries_log; > char *banner; /* SSH-2 banner message */ > int use_dns; > int client_alive_interval; /* >Index: sshd_config >=================================================================== >RCS file: /cvs/src/usr.bin/ssh/sshd_config,v >retrieving revision 1.68 >diff -u -p -r1.68 sshd_config >--- sshd_config 29 Dec 2003 16:39:50 -0000 1.68 >+++ sshd_config 17 May 2004 00:14:12 -0000 >@@ -33,6 +33,8 @@ > #LoginGraceTime 2m > #PermitRootLogin yes > #StrictModes yes >+#MaxAuthTries 6 >+#MaxAuthTriesLog 3 > > #RSAAuthentication yes > #PubkeyAuthentication yes >Index: sshd_config.5 >=================================================================== >RCS file: /cvs/src/usr.bin/ssh/sshd_config.5,v >retrieving revision 1.32 >diff -u -p -r1.32 sshd_config.5 >--- sshd_config.5 28 Apr 2004 07:02:56 -0000 1.32 >+++ sshd_config.5 17 May 2004 00:14:12 -0000 >@@ -402,6 +402,13 @@ for data integrity protection. > Multiple algorithms must be comma-separated. > The default is > .Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 . >+.It Cm MaxAuthTries >+Specifies the maximum number of authentication attempts permitted per >+connection. The default is 6. >+.It Cm MaxAuthTriesLog >+Specifies the number of authentication failures required to generate a >+failure message in the log. The default is half of >+.Cm MaxAuthTries . > .It Cm MaxStartups > Specifies the maximum number of concurrent unauthenticated connections to the > .Nm sshd
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=636">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 561
:
382
|
623
| 636