Bug 2933

Summary: MaxAuthTries validation incorrect
Product: Portable OpenSSH Reporter: Pete Travis <me>
Component: sshdAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED FIXED    
Severity: minor CC: djm
Priority: P5    
Version: 7.6p1   
Hardware: All   
OS: Linux   

Description Pete Travis 2018-11-20 10:44:26 AEDT 
I have a system where MaxAuthTries has been administratively misinterpreted:

[pete9168@workstation ~]$ sudo grep MaxAuthTries /etc/ssh/sshd_config 
MaxAuthTries yes

It passes the syntax validation check:

[pete9168@workstation ~]$ sudo sshd -t && echo "EVERYTHING IS OK HERE"
EVERYTHING IS OK HERE

The daemon does not receive a valid integer for MaxAuthTries and seems to interpret a maximum attempt count of zero:

[pete9168@workstation ~]$ ssh localhost
Received disconnect from ::1 port 22:2: Too many authentication failures
Disconnected from ::1 port 22

Please adjust `sshd -t` such that MaxAuthTries requires an integer > 0 to pass.

I initially observed this behavior with openssh-server-1:6.6p1-2ubuntu2.11, the above validation is from openssh-server-7.6p1-6.fc27.x86_64 .
Comment 1 Damien Miller 2018-12-07 14:27:28 AEDT 
This has already been fixed in the openssh-7.7 release via the following commit:

commit 609d96b3d58475a15b2eb6b3d463f2c5d8e510c0
Author: dtucker@openbsd.org <dtucker@openbsd.org>
Date:   Tue Dec 5 23:59:47 2017 +0000

    upstream commit
    
    Replace atoi and strtol conversions for integer arguments
    to config keywords with a checking wrapper around strtonum.  This will
    prevent and flag invalid and negative arguments to these keywords.  ok djm@
    
    OpenBSD-Commit-ID: 99ae3981f3d608a219ccb8d2fff635ae52c17998
Comment 2 Damien Miller 2019-05-03 14:42:35 AEST 
Move resolved bugs -> CLOSED after 8.0 release