- djm@cvs.openbsd.org 2008/07/04 23:30:16

     [auth1.c auth2.c]
     Make protocol 1 MaxAuthTries logic match protocol 2's.
     Do not treat the first protocol 2 authentication attempt as
     a failure IFF it is for method "none".
     Makes MaxAuthTries' user-visible behaviour identical for
     protocol 1 vs 2.
     ok dtucker@

1 files changed, 4 insertions, 2 deletions

diff --git a/auth1.c b/auth1.c
index b5798f634..834ef0452 100644
--- a/auth1.c
+++ b/auth1.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth1.c,v 1.72 2008/05/08 12:02:23 djm Exp $ */
+/* $OpenBSD: auth1.c,v 1.73 2008/07/04 23:30:16 djm Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -284,6 +284,8 @@ do_authloop(Authctxt *authctxt)
                     type != SSH_CMSG_AUTH_TIS_RESPONSE)
                         abandon_challenge_response(authctxt);
 
+                if (authctxt->failures >= options.max_authtries)
+                        goto skip;
                 if ((meth = lookup_authmethod1(type)) == NULL) {
                         logit("Unknown message during authentication: "
                             "type %d", type);
@@ -368,7 +370,7 @@ do_authloop(Authctxt *authctxt)
                 if (authenticated)
                         return;
 
-                if (authctxt->failures++ > options.max_authtries) {
+                if (++authctxt->failures >= options.max_authtries) {
 #ifdef SSH_AUDIT_EVENTS
                         PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES));
 #endif