• Darren Tucker's avatar
    - djm@cvs.openbsd.org 2008/07/02 12:36:39 · 4230a5dc
    Darren Tucker authored
         [auth2-none.c auth2.c]
         Make protocol 2 MaxAuthTries behaviour a little more sensible:
         Check whether client has exceeded MaxAuthTries before running
         an authentication method and skip it if they have, previously it
         would always allow one try (for "none" auth).
         Preincrement failure count before post-auth test - previously this
         checked and postincremented, also to allow one "none" try.
         Together, these two changes always count the "none" auth method
         which could be skipped by a malicious client (e.g. an SSH worm)
         to get an extra attempt at a real auth method. They also make
         MaxAuthTries=0 a useful way to block users entirely (esp. in a
         sshd_config Match block).
         Also, move sending of any preauth banner from "none" auth method
         to the first call to input_userauth_request(), so worms that skip
         the "none" method get to see it too.
auth2.c 9.62 KB