Attachment #623 for bug #561

Lines 162-168 auth_log(Authctxt *authctxt, int authent Link Here

(-)auth.c (-1 / +1 lines)
162	/* Raise logging level */	162	/* Raise logging level */
163	if (authenticated == 1 \|\|	163	if (authenticated == 1 \|\|
164	!authctxt->valid \|\|	164	!authctxt->valid \|\|
165	authctxt->failures >= AUTH_FAIL_LOG \|\|	165	authctxt->failures >= options.max_authtries_log \|\|
166	strcmp(method, "password") == 0)	166	strcmp(method, "password") == 0)
167	authlog = logit;	167	authlog = logit;
168		168

Lines 170-177 void auth_debug_reset(void); Link Here

(-)auth.h (-2 lines)
170		170
171	struct passwd *fakepw(void);	171	struct passwd *fakepw(void);
172		172
173	#define AUTH_FAIL_MAX 6
174	#define AUTH_FAIL_LOG (AUTH_FAIL_MAX/2)
175	#define AUTH_FAIL_MSG "Too many authentication failures for %.100s"	173	#define AUTH_FAIL_MSG "Too many authentication failures for %.100s"
176		174
177	#define SKEY_PROMPT "\nS/Key Password: "	175	#define SKEY_PROMPT "\nS/Key Password: "

Lines 221-227 do_authloop(Authctxt *authctxt) Link Here

(-)auth1.c (-1 / +1 lines)
221	if (authenticated)	221	if (authenticated)
222	return;	222	return;
223		223
224	if (authctxt->failures++ > AUTH_FAIL_MAX)	224	if (authctxt->failures++ > options.max_authtries)
225	packet_disconnect(AUTH_FAIL_MSG, authctxt->user);	225	packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
226		226
227	packet_start(SSH_SMSG_FAILURE);	227	packet_start(SSH_SMSG_FAILURE);

Lines 223-229 userauth_finish(Authctxt *authctxt, int Link Here

(-)auth2.c (-1 / +1 lines)
223	/* now we can break out */	223	/* now we can break out */
224	authctxt->success = 1;	224	authctxt->success = 1;
225	} else {	225	} else {
226	if (authctxt->failures++ > AUTH_FAIL_MAX)	226	if (authctxt->failures++ > options.max_authtries)
227	packet_disconnect(AUTH_FAIL_MSG, authctxt->user);	227	packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
228	methods = authmethods_get();	228	methods = authmethods_get();
229	packet_start(SSH2_MSG_USERAUTH_FAILURE);	229	packet_start(SSH2_MSG_USERAUTH_FAILURE);

Lines 90-95 initialize_server_options(ServerOptions Link Here

(-)servconf.c (-1 / +18 lines)
90	options->max_startups_begin = -1;	90	options->max_startups_begin = -1;
91	options->max_startups_rate = -1;	91	options->max_startups_rate = -1;
92	options->max_startups = -1;	92	options->max_startups = -1;
		93	options->max_authtries = -1;
		94	options->max_authtries_log = -1;
93	options->banner = NULL;	95	options->banner = NULL;
94	options->use_dns = -1;	96	options->use_dns = -1;
95	options->client_alive_interval = -1;	97	options->client_alive_interval = -1;
Lines 203-208 fill_default_server_options(ServerOption Link Here
203	options->max_startups_rate = 100; /* 100% */	205	options->max_startups_rate = 100; /* 100% */
204	if (options->max_startups_begin == -1)	206	if (options->max_startups_begin == -1)
205	options->max_startups_begin = options->max_startups;	207	options->max_startups_begin = options->max_startups;
		208	if (options->max_authtries == -1)
		209	options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
		210	if (options->max_authtries_log == -1)
		211	options->max_authtries_log = options->max_authtries / 2;
206	if (options->use_dns == -1)	212	if (options->use_dns == -1)
207	options->use_dns = 1;	213	options->use_dns = 1;
208	if (options->client_alive_interval == -1)	214	if (options->client_alive_interval == -1)
Lines 240-246 typedef enum { Link Here
240	sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,	246	sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
241	sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,	247	sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
242	sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,	248	sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
243	sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,	249	sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
		250	sMaxStartups, sMaxAuthTries, sMaxAuthTriesLog,
244	sBanner, sUseDNS, sHostbasedAuthentication,	251	sBanner, sUseDNS, sHostbasedAuthentication,
245	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,	252	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
246	sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,	253	sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
Lines 323-328 static struct { Link Here
323	{ "gatewayports", sGatewayPorts },	330	{ "gatewayports", sGatewayPorts },
324	{ "subsystem", sSubsystem },	331	{ "subsystem", sSubsystem },
325	{ "maxstartups", sMaxStartups },	332	{ "maxstartups", sMaxStartups },
		333	{ "maxauthtries", sMaxAuthTries },
		334	{ "maxauthtrieslog", sMaxAuthTriesLog },
326	{ "banner", sBanner },	335	{ "banner", sBanner },
327	{ "usedns", sUseDNS },	336	{ "usedns", sUseDNS },
328	{ "verifyreversemapping", sDeprecated },	337	{ "verifyreversemapping", sDeprecated },
Lines 828-833 parse_flag: Link Here
828	else	837	else
829	options->max_startups = options->max_startups_begin;	838	options->max_startups = options->max_startups_begin;
830	break;	839	break;
		840
		841	case sMaxAuthTries:
		842	intptr = &options->max_authtries;
		843	goto parse_int;
		844
		845	case sMaxAuthTriesLog:
		846	intptr = &options->max_authtries_log;
		847	goto parse_int;
831		848
832	case sBanner:	849	case sBanner:
833	charptr = &options->banner;	850	charptr = &options->banner;

Lines 33-38 Link Here

(-)servconf.h (+3 lines)
33	#define PERMIT_NO_PASSWD 2	33	#define PERMIT_NO_PASSWD 2
34	#define PERMIT_YES 3	34	#define PERMIT_YES 3
35		35
		36	#define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */
36		37
37	typedef struct {	38	typedef struct {
38	u_int num_ports;	39	u_int num_ports;
Lines 114-119 typedef struct { Link Here
114	int max_startups_begin;	115	int max_startups_begin;
115	int max_startups_rate;	116	int max_startups_rate;
116	int max_startups;	117	int max_startups;
		118	int max_authtries;
		119	int max_authtries_log;
117	char banner; / SSH-2 banner message */	120	char banner; / SSH-2 banner message */
118	int use_dns;	121	int use_dns;
119	int client_alive_interval; /*	122	int client_alive_interval; /*

Lines 402-407 for data integrity protection. Link Here

(-)sshd_config.5 (+7 lines)
402	Multiple algorithms must be comma-separated.	402	Multiple algorithms must be comma-separated.
403	The default is	403	The default is
404	.Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 .	404	.Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 .
		405	.It Cm MaxAuthTries
		406	Specifies the maximum number of authentication attempts permitted per
		407	connection. The default is 6.
		408	.It Cm MaxAuthTriesLog
		409	Specifies the number of authentication failures required to generate a
		410	failure message in the log. The default is half of
		411	.Cm MaxAuthTries .
405	.It Cm MaxStartups	412	.It Cm MaxStartups
406	Specifies the maximum number of concurrent unauthenticated connections to the	413	Specifies the maximum number of concurrent unauthenticated connections to the
407	.Nm sshd	414	.Nm sshd

Return to bug 561