Attachment #636 for bug #561

Lines 161-167 auth_log(Authctxt *authctxt, int authent Link Here

(-)auth.c (-1 / +1 lines)
161	/* Raise logging level */	161	/* Raise logging level */
162	if (authenticated == 1 \|\|	162	if (authenticated == 1 \|\|
163	!authctxt->valid \|\|	163	!authctxt->valid \|\|
164	authctxt->failures >= AUTH_FAIL_LOG \|\|	164	authctxt->failures >= options.max_authtries_log \|\|
165	strcmp(method, "password") == 0)	165	strcmp(method, "password") == 0)
166	authlog = logit;	166	authlog = logit;
167		167

Lines 170-177 void auth_debug_reset(void); Link Here

(-)auth.h (-2 lines)
170		170
171	struct passwd *fakepw(void);	171	struct passwd *fakepw(void);
172		172
173	#define AUTH_FAIL_MAX 6
174	#define AUTH_FAIL_LOG (AUTH_FAIL_MAX/2)
175	#define AUTH_FAIL_MSG "Too many authentication failures for %.100s"	173	#define AUTH_FAIL_MSG "Too many authentication failures for %.100s"
176		174
177	#define SKEY_PROMPT "\nS/Key Password: "	175	#define SKEY_PROMPT "\nS/Key Password: "

Lines 220-226 do_authloop(Authctxt *authctxt) Link Here

(-)auth1.c (-1 / +1 lines)
220	if (authenticated)	220	if (authenticated)
221	return;	221	return;
222		222
223	if (authctxt->failures++ > AUTH_FAIL_MAX)	223	if (authctxt->failures++ > options.max_authtries)
224	packet_disconnect(AUTH_FAIL_MSG, authctxt->user);	224	packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
225		225
226	packet_start(SSH_SMSG_FAILURE);	226	packet_start(SSH_SMSG_FAILURE);

Lines 223-229 userauth_finish(Authctxt *authctxt, int Link Here

(-)auth2.c (-1 / +1 lines)
223	/* now we can break out */	223	/* now we can break out */
224	authctxt->success = 1;	224	authctxt->success = 1;
225	} else {	225	} else {
226	if (authctxt->failures++ > AUTH_FAIL_MAX)	226	if (authctxt->failures++ > options.max_authtries)
227	packet_disconnect(AUTH_FAIL_MSG, authctxt->user);	227	packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
228	methods = authmethods_get();	228	methods = authmethods_get();
229	packet_start(SSH2_MSG_USERAUTH_FAILURE);	229	packet_start(SSH2_MSG_USERAUTH_FAILURE);

Lines 89-94 initialize_server_options(ServerOptions Link Here

(-)servconf.c (-1 / +18 lines)
89	options->max_startups_begin = -1;	89	options->max_startups_begin = -1;
90	options->max_startups_rate = -1;	90	options->max_startups_rate = -1;
91	options->max_startups = -1;	91	options->max_startups = -1;
		92	options->max_authtries = -1;
		93	options->max_authtries_log = -1;
92	options->banner = NULL;	94	options->banner = NULL;
93	options->use_dns = -1;	95	options->use_dns = -1;
94	options->client_alive_interval = -1;	96	options->client_alive_interval = -1;
Lines 202-207 fill_default_server_options(ServerOption Link Here
202	options->max_startups_rate = 100; /* 100% */	204	options->max_startups_rate = 100; /* 100% */
203	if (options->max_startups_begin == -1)	205	if (options->max_startups_begin == -1)
204	options->max_startups_begin = options->max_startups;	206	options->max_startups_begin = options->max_startups;
		207	if (options->max_authtries == -1)
		208	options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
		209	if (options->max_authtries_log == -1)
		210	options->max_authtries_log = options->max_authtries / 2;
205	if (options->use_dns == -1)	211	if (options->use_dns == -1)
206	options->use_dns = 1;	212	options->use_dns = 1;
207	if (options->client_alive_interval == -1)	213	if (options->client_alive_interval == -1)
Lines 239-245 typedef enum { Link Here
239	sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,	245	sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
240	sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,	246	sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
241	sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,	247	sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
242	sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,	248	sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
		249	sMaxStartups, sMaxAuthTries, sMaxAuthTriesLog,
243	sBanner, sUseDNS, sHostbasedAuthentication,	250	sBanner, sUseDNS, sHostbasedAuthentication,
244	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,	251	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
245	sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,	252	sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
Lines 322-327 static struct { Link Here
322	{ "gatewayports", sGatewayPorts },	329	{ "gatewayports", sGatewayPorts },
323	{ "subsystem", sSubsystem },	330	{ "subsystem", sSubsystem },
324	{ "maxstartups", sMaxStartups },	331	{ "maxstartups", sMaxStartups },
		332	{ "maxauthtries", sMaxAuthTries },
		333	{ "maxauthtrieslog", sMaxAuthTriesLog },
325	{ "banner", sBanner },	334	{ "banner", sBanner },
326	{ "usedns", sUseDNS },	335	{ "usedns", sUseDNS },
327	{ "verifyreversemapping", sDeprecated },	336	{ "verifyreversemapping", sDeprecated },
Lines 827-832 parse_flag: Link Here
827	else	836	else
828	options->max_startups = options->max_startups_begin;	837	options->max_startups = options->max_startups_begin;
829	break;	838	break;
		839
		840	case sMaxAuthTries:
		841	intptr = &options->max_authtries;
		842	goto parse_int;
		843
		844	case sMaxAuthTriesLog:
		845	intptr = &options->max_authtries_log;
		846	goto parse_int;
830		847
831	case sBanner:	848	case sBanner:
832	charptr = &options->banner;	849	charptr = &options->banner;

Lines 33-38 Link Here

(-)servconf.h (+3 lines)
33	#define PERMIT_NO_PASSWD 2	33	#define PERMIT_NO_PASSWD 2
34	#define PERMIT_YES 3	34	#define PERMIT_YES 3
35		35
		36	#define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */
36		37
37	typedef struct {	38	typedef struct {
38	u_int num_ports;	39	u_int num_ports;
Lines 114-119 typedef struct { Link Here
114	int max_startups_begin;	115	int max_startups_begin;
115	int max_startups_rate;	116	int max_startups_rate;
116	int max_startups;	117	int max_startups;
		118	int max_authtries;
		119	int max_authtries_log;
117	char banner; / SSH-2 banner message */	120	char banner; / SSH-2 banner message */
118	int use_dns;	121	int use_dns;
119	int client_alive_interval; /*	122	int client_alive_interval; /*

Lines 33-38 Link Here

(-)sshd_config (+2 lines)
33	#LoginGraceTime 2m	33	#LoginGraceTime 2m
34	#PermitRootLogin yes	34	#PermitRootLogin yes
35	#StrictModes yes	35	#StrictModes yes
		36	#MaxAuthTries 6
		37	#MaxAuthTriesLog 3
36		38
37	#RSAAuthentication yes	39	#RSAAuthentication yes
38	#PubkeyAuthentication yes	40	#PubkeyAuthentication yes

Lines 402-407 for data integrity protection. Link Here

(-)sshd_config.5 (+7 lines)
402	Multiple algorithms must be comma-separated.	402	Multiple algorithms must be comma-separated.
403	The default is	403	The default is
404	.Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 .	404	.Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 .
		405	.It Cm MaxAuthTries
		406	Specifies the maximum number of authentication attempts permitted per
		407	connection. The default is 6.
		408	.It Cm MaxAuthTriesLog
		409	Specifies the number of authentication failures required to generate a
		410	failure message in the log. The default is half of
		411	.Cm MaxAuthTries .
405	.It Cm MaxStartups	412	.It Cm MaxStartups
406	Specifies the maximum number of concurrent unauthenticated connections to the	413	Specifies the maximum number of concurrent unauthenticated connections to the
407	.Nm sshd	414	.Nm sshd

Return to bug 561