- djm@cvs.openbsd.org 2008/07/04 23:30:16

[auth1.c auth2.c] Make protocol 1 MaxAuthTries logic match protocol 2's. Do not treat the first protocol 2 authentication attempt as a failure IFF it is for method "none". Makes MaxAuthTries' user-visible behaviour identical for protocol 1 vs 2. ok dtucker@
author: Damien Miller <djm@mindrot.org> 2008-07-05 09:44:53 +1000
committer: Damien Miller <djm@mindrot.org> 2008-07-05 09:44:53 +1000
commit: 0b4d48ba74cca40e983d96ba13e66908cf5b5666 (patch)
tree: 6f73ac31ec892638ce9a3a4ce4784549674dda62 /auth2.c
parent: d874fa517be97bdd57b631fd409c337761f1ab46 (diff)
1 files changed, 7 insertions, 2 deletions
diff --git a/auth2.c b/auth2.c
index 4b96c652f..a835abfc6 100644
--- a/auth2.c
+++ b/auth2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2.c,v 1.118 2008/07/02 13:30:34 djm Exp $ */
+/* $OpenBSD: auth2.c,v 1.119 2008/07/04 23:30:16 djm Exp $ */
 /*
 * Copyright (c) 2000 Markus Friedl.  All rights reserved.
 *
@@ -36,6 +36,7 @@
 #include <unistd.h>
 #include "xmalloc.h"
+#include "atomicio.h"
 #include "ssh2.h"
 #include "packet.h"
 #include "log.h"
@@ -333,7 +334,11 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
                /* now we can break out */
                authctxt->success = 1;
        } else {
-                if (++authctxt->failures >= options.max_authtries) {
+                /* Allow initial try of "none" auth without failure penalty */
+                if (authctxt->attempt > 1 || strcmp(method, "none") != 0)
+                        authctxt->failures++;
+                if (authctxt->failures >= options.max_authtries) {
 #ifdef SSH_AUDIT_EVENTS
                        PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES));
 #endif
author	Damien Miller <djm@mindrot.org>	2008-07-05 09:44:53 +1000
committer	Damien Miller <djm@mindrot.org>	2008-07-05 09:44:53 +1000
commit	0b4d48ba74cca40e983d96ba13e66908cf5b5666 (patch)
tree	6f73ac31ec892638ce9a3a4ce4784549674dda62 /auth2.c
parent	d874fa517be97bdd57b631fd409c337761f1ab46 (diff)

diff --git a/auth2.c b/auth2.c index 4b96c652f..a835abfc6 100644 --- a/auth2.c +++ b/auth2.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: auth2.c,v 1.118 2008/07/02 13:30:34 djm Exp $ */	1	/* $OpenBSD: auth2.c,v 1.119 2008/07/04 23:30:16 djm Exp $ */
2	/*	2	/*
3	* Copyright (c) 2000 Markus Friedl. All rights reserved.	3	* Copyright (c) 2000 Markus Friedl. All rights reserved.
4	*	4	*
@@ -36,6 +36,7 @@
36	#include <unistd.h>	36	#include <unistd.h>
37		37
38	#include "xmalloc.h"	38	#include "xmalloc.h"
		39	#include "atomicio.h"
39	#include "ssh2.h"	40	#include "ssh2.h"
40	#include "packet.h"	41	#include "packet.h"
41	#include "log.h"	42	#include "log.h"
@@ -333,7 +334,11 @@ userauth_finish(Authctxt authctxt, int authenticated, char method)
333	/* now we can break out */	334	/* now we can break out */
334	authctxt->success = 1;	335	authctxt->success = 1;
335	} else {	336	} else {
336	if (++authctxt->failures >= options.max_authtries) {	337
		338	/* Allow initial try of "none" auth without failure penalty */
		339	if (authctxt->attempt > 1 \|\| strcmp(method, "none") != 0)
		340	authctxt->failures++;
		341	if (authctxt->failures >= options.max_authtries) {
337	#ifdef SSH_AUDIT_EVENTS	342	#ifdef SSH_AUDIT_EVENTS
338	PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES));	343	PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES));
339	#endif	344	#endif