Commit 89413dba authored by Darren Tucker's avatar Darren Tucker

- dtucker@cvs.openbsd.org 2004/05/23 23:59:53

     [auth.c auth.h auth1.c auth2.c servconf.c servconf.h sshd_config sshd_config.5]
     Add MaxAuthTries sshd config option; ok markus@
parent e534e121
......@@ -21,6 +21,9 @@
- jmc@cvs.openbsd.org 2004/05/22 16:01:05
[ssh.1]
kill whitespace at eol;
- dtucker@cvs.openbsd.org 2004/05/23 23:59:53
[auth.c auth.h auth1.c auth2.c servconf.c servconf.h sshd_config sshd_config.5]
Add MaxAuthTries sshd config option; ok markus@
20040523
- (djm) [sshd_config] Explain consequences of UsePAM=yes a little better in
......@@ -1150,4 +1153,4 @@
- (djm) Trim deprecated options from INSTALL. Mention UsePAM
- (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
$Id: ChangeLog,v 1.3364 2004/05/24 00:35:14 dtucker Exp $
$Id: ChangeLog,v 1.3365 2004/05/24 00:36:23 dtucker Exp $
......@@ -23,7 +23,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: auth.c,v 1.53 2004/05/11 19:01:43 deraadt Exp $");
RCSID("$OpenBSD: auth.c,v 1.54 2004/05/23 23:59:53 dtucker Exp $");
#ifdef HAVE_LOGIN_H
#include <login.h>
......@@ -242,7 +242,7 @@ auth_log(Authctxt *authctxt, int authenticated, char *method, char *info)
/* Raise logging level */
if (authenticated == 1 ||
!authctxt->valid ||
authctxt->failures >= AUTH_FAIL_LOG ||
authctxt->failures >= options.max_authtries / 2 ||
strcmp(method, "password") == 0)
authlog = logit;
......
/* $OpenBSD: auth.h,v 1.49 2004/01/30 09:48:57 markus Exp $ */
/* $OpenBSD: auth.h,v 1.50 2004/05/23 23:59:53 dtucker Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
......@@ -181,8 +181,6 @@ void auth_debug_reset(void);
struct passwd *fakepw(void);
#define AUTH_FAIL_MAX 6
#define AUTH_FAIL_LOG (AUTH_FAIL_MAX/2)
#define AUTH_FAIL_MSG "Too many authentication failures for %.100s"
#define SKEY_PROMPT "\nS/Key Password: "
......
......@@ -10,7 +10,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: auth1.c,v 1.56 2004/05/09 01:19:27 djm Exp $");
RCSID("$OpenBSD: auth1.c,v 1.57 2004/05/23 23:59:53 dtucker Exp $");
#include "xmalloc.h"
#include "rsa.h"
......@@ -261,7 +261,7 @@ do_authloop(Authctxt *authctxt)
if (authenticated)
return;
if (authctxt->failures++ > AUTH_FAIL_MAX)
if (authctxt->failures++ > options.max_authtries)
packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
packet_start(SSH_SMSG_FAILURE);
......
......@@ -23,7 +23,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: auth2.c,v 1.104 2003/11/04 08:54:09 djm Exp $");
RCSID("$OpenBSD: auth2.c,v 1.105 2004/05/23 23:59:53 dtucker Exp $");
#include "ssh2.h"
#include "xmalloc.h"
......@@ -243,7 +243,7 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
/* now we can break out */
authctxt->success = 1;
} else {
if (authctxt->failures++ > AUTH_FAIL_MAX)
if (authctxt->failures++ > options.max_authtries)
packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
methods = authmethods_get();
packet_start(SSH2_MSG_USERAUTH_FAILURE);
......
......@@ -10,7 +10,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: servconf.c,v 1.132 2004/05/08 00:01:37 deraadt Exp $");
RCSID("$OpenBSD: servconf.c,v 1.133 2004/05/23 23:59:53 dtucker Exp $");
#include "ssh.h"
#include "log.h"
......@@ -94,6 +94,7 @@ initialize_server_options(ServerOptions *options)
options->max_startups_begin = -1;
options->max_startups_rate = -1;
options->max_startups = -1;
options->max_authtries = -1;
options->banner = NULL;
options->use_dns = -1;
options->client_alive_interval = -1;
......@@ -212,6 +213,8 @@ fill_default_server_options(ServerOptions *options)
options->max_startups_rate = 100; /* 100% */
if (options->max_startups_begin == -1)
options->max_startups_begin = options->max_startups;
if (options->max_authtries == -1)
options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
if (options->use_dns == -1)
options->use_dns = 1;
if (options->client_alive_interval == -1)
......@@ -262,7 +265,8 @@ typedef enum {
sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
sMaxStartups, sMaxAuthTries,
sBanner, sUseDNS, sHostbasedAuthentication,
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
......@@ -357,6 +361,7 @@ static struct {
{ "gatewayports", sGatewayPorts },
{ "subsystem", sSubsystem },
{ "maxstartups", sMaxStartups },
{ "maxauthtries", sMaxAuthTries },
{ "banner", sBanner },
{ "usedns", sUseDNS },
{ "verifyreversemapping", sDeprecated },
......@@ -869,6 +874,10 @@ parse_flag:
options->max_startups = options->max_startups_begin;
break;
case sMaxAuthTries:
intptr = &options->max_authtries;
goto parse_int;
case sBanner:
charptr = &options->banner;
goto parse_filename;
......
/* $OpenBSD: servconf.h,v 1.68 2004/04/27 09:46:37 djm Exp $ */
/* $OpenBSD: servconf.h,v 1.69 2004/05/23 23:59:53 dtucker Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
......@@ -33,6 +33,7 @@
#define PERMIT_NO_PASSWD 2
#define PERMIT_YES 3
#define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */
typedef struct {
u_int num_ports;
......@@ -114,6 +115,7 @@ typedef struct {
int max_startups_begin;
int max_startups_rate;
int max_startups;
int max_authtries;
char *banner; /* SSH-2 banner message */
int use_dns;
int client_alive_interval; /*
......
# $OpenBSD: sshd_config,v 1.68 2003/12/29 16:39:50 millert Exp $
# $OpenBSD: sshd_config,v 1.69 2004/05/23 23:59:53 dtucker Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
......@@ -35,6 +35,7 @@
#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#RSAAuthentication yes
#PubkeyAuthentication yes
......
......@@ -34,7 +34,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $OpenBSD: sshd_config.5,v 1.32 2004/04/28 07:02:56 jmc Exp $
.\" $OpenBSD: sshd_config.5,v 1.33 2004/05/23 23:59:53 dtucker Exp $
.Dd September 25, 1999
.Dt SSHD_CONFIG 5
.Os
......@@ -402,6 +402,10 @@ for data integrity protection.
Multiple algorithms must be comma-separated.
The default is
.Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 .
.It Cm MaxAuthTries
Specifies the maximum number of authentication attempts permitted per
connection. Once the number of failures reaches half this value, additional
failures are logged. The default is 6.
.It Cm MaxStartups
Specifies the maximum number of concurrent unauthenticated connections to the
.Nm sshd
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment