import openssh-5.1p1-gsskex-cjwatson-20080722.patch

author: Colin Watson <cjwatson@debian.org> 2009-12-29 21:42:53 +0000
committer: Colin Watson <cjwatson@debian.org> 2009-12-29 21:42:53 +0000
commit: 87552344215a38d3a2b0d4d63dc151e05978bbe1 (patch)
tree: 9f4b96055e6ccaa915e8d59d9f2805e9e119371d /auth2.c
parent: a25ec0b132c44c9e341e08464ff830de06b81126 (diff)
parent: ef94e5613d37bcbf880f21ee6094e4b1c7683a4c (diff)
1 files changed, 79 insertions, 7 deletions
diff --git a/auth2.c b/auth2.c
index 828a7bc1a..3ee44014d 100644
--- a/auth2.c
+++ b/auth2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2.c,v 1.115 2007/04/14 22:01:58 stevesk Exp $ */
+/* $OpenBSD: auth2.c,v 1.119 2008/07/04 23:30:16 djm Exp $ */
 /*
 * Copyright (c) 2000 Markus Friedl.  All rights reserved.
 *
@@ -26,12 +26,17 @@
 #include "includes.h"
 #include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/uio.h>
+#include <fcntl.h>
 #include <pwd.h>
 #include <stdarg.h>
 #include <string.h>
+#include <unistd.h>
 #include "xmalloc.h"
+#include "atomicio.h"
 #include "ssh2.h"
 #include "packet.h"
 #include "log.h"
@@ -89,12 +94,75 @@ static void input_userauth_request(int, u_int32_t, void *);
 /* helper */
 static Authmethod *authmethod_lookup(const char *);
 static char *authmethods_get(void);
-int user_key_allowed(struct passwd *, Key *);
+char *
+auth2_read_banner(void)
+{
+        struct stat st;
+        char *banner = NULL;
+        size_t len, n;
+        int fd;
+        if ((fd = open(options.banner, O_RDONLY)) == -1)
+                return (NULL);
+        if (fstat(fd, &st) == -1) {
+                close(fd);
+                return (NULL);
+        }
+        if (st.st_size > 1*1024*1024) {
+                close(fd);
+                return (NULL);
+        }
+        len = (size_t)st.st_size;               /* truncate */
+        banner = xmalloc(len + 1);
+        n = atomicio(read, fd, banner, len);
+        close(fd);
+        if (n != len) {
+                xfree(banner);
+                return (NULL);
+        }
+        banner[n] = '\0';
+        return (banner);
+}
+void
+userauth_send_banner(const char *msg)
+{
+        if (datafellows & SSH_BUG_BANNER)
+                return;
+        packet_start(SSH2_MSG_USERAUTH_BANNER);
+        packet_put_cstring(msg);
+        packet_put_cstring("");         /* language, unused */
+        packet_send();
+        debug("%s: sent", __func__);
+}
+static void
+userauth_banner(void)
+{
+        char *banner = NULL;
+        if (options.banner == NULL ||
+            strcasecmp(options.banner, "none") == 0 ||
+            (datafellows & SSH_BUG_BANNER) != 0)
+                return;
+        if ((banner = PRIVSEP(auth2_read_banner())) == NULL)
+                goto done;
+        userauth_send_banner(banner);
+done:
+        if (banner)
+                xfree(banner);
+}
 /*
 * loop until authctxt->success == TRUE
 */
 void
 do_authentication2(Authctxt *authctxt)
 {
@@ -182,6 +250,7 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
                authctxt->style = style ? xstrdup(style) : NULL;
                if (use_privsep)
                        mm_inform_authserv(service, style);
+                userauth_banner();
        } else if (strcmp(user, authctxt->user) != 0 ||
            strcmp(service, authctxt->service) != 0) {
                packet_disconnect("Change of username or service not allowed: "
@@ -201,7 +270,7 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
        /* try to authenticate user */
        m = authmethod_lookup(method);
-        if (m != NULL) {
+        if (m != NULL && authctxt->failures < options.max_authtries) {
                debug2("input_userauth_request: try method %s", method);
                authenticated = m->userauth(authctxt);
        }
@@ -268,9 +337,11 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
                /* now we can break out */
                authctxt->success = 1;
        } else {
-                /* Dont count server configuration issues against the client */
-                if (!authctxt->server_caused_failure && 
+                /* Allow initial try of "none" auth without failure penalty */
-                    authctxt->failures++ > options.max_authtries) {
+                if (authctxt->attempt > 1 || strcmp(method, "none") != 0)
+                        authctxt->failures++;
+                if (authctxt->failures >= options.max_authtries) {
 #ifdef SSH_AUDIT_EVENTS
                        PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES));
 #endif
@@ -326,3 +397,4 @@ authmethod_lookup(const char *name)
            name ? name : "NULL");
        return NULL;
 }
author	Colin Watson <cjwatson@debian.org>	2009-12-29 21:42:53 +0000
committer	Colin Watson <cjwatson@debian.org>	2009-12-29 21:42:53 +0000
commit	87552344215a38d3a2b0d4d63dc151e05978bbe1 (patch)
tree	9f4b96055e6ccaa915e8d59d9f2805e9e119371d /auth2.c
parent	a25ec0b132c44c9e341e08464ff830de06b81126 (diff)
parent	ef94e5613d37bcbf880f21ee6094e4b1c7683a4c (diff)

diff --git a/auth2.c b/auth2.c index 828a7bc1a..3ee44014d 100644 --- a/auth2.c +++ b/auth2.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: auth2.c,v 1.115 2007/04/14 22:01:58 stevesk Exp $ */	1	/* $OpenBSD: auth2.c,v 1.119 2008/07/04 23:30:16 djm Exp $ */
2	/*	2	/*
3	* Copyright (c) 2000 Markus Friedl. All rights reserved.	3	* Copyright (c) 2000 Markus Friedl. All rights reserved.
4	*	4	*
@@ -26,12 +26,17 @@
26	#include "includes.h"	26	#include "includes.h"
27		27
28	#include <sys/types.h>	28	#include <sys/types.h>
		29	#include <sys/stat.h>
		30	#include <sys/uio.h>
29		31
		32	#include <fcntl.h>
30	#include <pwd.h>	33	#include <pwd.h>
31	#include <stdarg.h>	34	#include <stdarg.h>
32	#include <string.h>	35	#include <string.h>
		36	#include <unistd.h>
33		37
34	#include "xmalloc.h"	38	#include "xmalloc.h"
		39	#include "atomicio.h"
35	#include "ssh2.h"	40	#include "ssh2.h"
36	#include "packet.h"	41	#include "packet.h"
37	#include "log.h"	42	#include "log.h"
@@ -89,12 +94,75 @@ static void input_userauth_request(int, u_int32_t, void *);
89	/* helper */	94	/* helper */
90	static Authmethod authmethod_lookup(const char );	95	static Authmethod authmethod_lookup(const char );
91	static char *authmethods_get(void);	96	static char *authmethods_get(void);
92	int user_key_allowed(struct passwd , Key );	97
		98	char *
		99	auth2_read_banner(void)
		100	{
		101	struct stat st;
		102	char *banner = NULL;
		103	size_t len, n;
		104	int fd;
		105
		106	if ((fd = open(options.banner, O_RDONLY)) == -1)
		107	return (NULL);
		108	if (fstat(fd, &st) == -1) {
		109	close(fd);
		110	return (NULL);
		111	}
		112	if (st.st_size > 110241024) {
		113	close(fd);
		114	return (NULL);
		115	}
		116
		117	len = (size_t)st.st_size; /* truncate */
		118	banner = xmalloc(len + 1);
		119	n = atomicio(read, fd, banner, len);
		120	close(fd);
		121
		122	if (n != len) {
		123	xfree(banner);
		124	return (NULL);
		125	}
		126	banner[n] = '\0';
		127
		128	return (banner);
		129	}
		130
		131	void
		132	userauth_send_banner(const char *msg)
		133	{
		134	if (datafellows & SSH_BUG_BANNER)
		135	return;
		136
		137	packet_start(SSH2_MSG_USERAUTH_BANNER);
		138	packet_put_cstring(msg);
		139	packet_put_cstring(""); /* language, unused */
		140	packet_send();
		141	debug("%s: sent", __func__);
		142	}
		143
		144	static void
		145	userauth_banner(void)
		146	{
		147	char *banner = NULL;
		148
		149	if (options.banner == NULL \|\|
		150	strcasecmp(options.banner, "none") == 0 \|\|
		151	(datafellows & SSH_BUG_BANNER) != 0)
		152	return;
		153
		154	if ((banner = PRIVSEP(auth2_read_banner())) == NULL)
		155	goto done;
		156	userauth_send_banner(banner);
		157
		158	done:
		159	if (banner)
		160	xfree(banner);
		161	}
93		162
94	/*	163	/*
95	* loop until authctxt->success == TRUE	164	* loop until authctxt->success == TRUE
96	*/	165	*/
97
98	void	166	void
99	do_authentication2(Authctxt *authctxt)	167	do_authentication2(Authctxt *authctxt)
100	{	168	{
@@ -182,6 +250,7 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
182	authctxt->style = style ? xstrdup(style) : NULL;	250	authctxt->style = style ? xstrdup(style) : NULL;
183	if (use_privsep)	251	if (use_privsep)
184	mm_inform_authserv(service, style);	252	mm_inform_authserv(service, style);
		253	userauth_banner();
185	} else if (strcmp(user, authctxt->user) != 0 \|\|	254	} else if (strcmp(user, authctxt->user) != 0 \|\|
186	strcmp(service, authctxt->service) != 0) {	255	strcmp(service, authctxt->service) != 0) {
187	packet_disconnect("Change of username or service not allowed: "	256	packet_disconnect("Change of username or service not allowed: "
@@ -201,7 +270,7 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
201		270
202	/* try to authenticate user */	271	/* try to authenticate user */
203	m = authmethod_lookup(method);	272	m = authmethod_lookup(method);
204	if (m != NULL) {	273	if (m != NULL && authctxt->failures < options.max_authtries) {
205	debug2("input_userauth_request: try method %s", method);	274	debug2("input_userauth_request: try method %s", method);
206	authenticated = m->userauth(authctxt);	275	authenticated = m->userauth(authctxt);
207	}	276	}
@@ -268,9 +337,11 @@ userauth_finish(Authctxt authctxt, int authenticated, char method)
268	/* now we can break out */	337	/* now we can break out */
269	authctxt->success = 1;	338	authctxt->success = 1;
270	} else {	339	} else {
271	/* Dont count server configuration issues against the client */	340
272	if (!authctxt->server_caused_failure &&	341	/* Allow initial try of "none" auth without failure penalty */
273	authctxt->failures++ > options.max_authtries) {	342	if (authctxt->attempt > 1 \|\| strcmp(method, "none") != 0)
		343	authctxt->failures++;
		344	if (authctxt->failures >= options.max_authtries) {
274	#ifdef SSH_AUDIT_EVENTS	345	#ifdef SSH_AUDIT_EVENTS
275	PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES));	346	PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES));
276	#endif	347	#endif
@@ -326,3 +397,4 @@ authmethod_lookup(const char *name)
326	name ? name : "NULL");	397	name ? name : "NULL");
327	return NULL;	398	return NULL;
328	}	399	}
		400