diff options
| -rw-r--r-- | ChangeLog | 6 | ||||
| -rw-r--r-- | auth2-gss.c | 4 | ||||
| -rw-r--r-- | auth2.c | 6 |
3 files changed, 13 insertions, 3 deletions
| @@ -8,6 +8,12 @@ | |||
| 8 | [regress/README.regress] Remove ssh-rand-helper and all its | 8 | [regress/README.regress] Remove ssh-rand-helper and all its |
| 9 | tentacles. PRNGd seeding has been rolled into entropy.c directly. | 9 | tentacles. PRNGd seeding has been rolled into entropy.c directly. |
| 10 | Thanks to tim@ for testing on affected platforms. | 10 | Thanks to tim@ for testing on affected platforms. |
| 11 | - OpenBSD CVS Sync | ||
| 12 | - djm@cvs.openbsd.org 2011/03/10 02:52:57 | ||
| 13 | [auth2-gss.c auth2.c] | ||
| 14 | allow GSSAPI authentication to detect when a server-side failure causes | ||
| 15 | authentication failure and don't count such failures against MaxAuthTries; | ||
| 16 | bz#1244 from simon AT sxw.org.uk; ok markus@ before lock | ||
| 11 | 17 | ||
| 12 | 20110221 | 18 | 20110221 |
| 13 | - (dtucker) [contrib/cygwin/ssh-host-config] From Corinna: revamp of the | 19 | - (dtucker) [contrib/cygwin/ssh-host-config] From Corinna: revamp of the |
diff --git a/auth2-gss.c b/auth2-gss.c index 0e08d889c..0d59b2177 100644 --- a/auth2-gss.c +++ b/auth2-gss.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: auth2-gss.c,v 1.16 2007/10/29 00:52:45 dtucker Exp $ */ | 1 | /* $OpenBSD: auth2-gss.c,v 1.17 2011/03/10 02:52:57 djm Exp $ */ |
| 2 | 2 | ||
| 3 | /* | 3 | /* |
| 4 | * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. | 4 | * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. |
| @@ -102,6 +102,7 @@ userauth_gssapi(Authctxt *authctxt) | |||
| 102 | 102 | ||
| 103 | if (!present) { | 103 | if (!present) { |
| 104 | xfree(doid); | 104 | xfree(doid); |
| 105 | authctxt->server_caused_failure = 1; | ||
| 105 | return (0); | 106 | return (0); |
| 106 | } | 107 | } |
| 107 | 108 | ||
| @@ -109,6 +110,7 @@ userauth_gssapi(Authctxt *authctxt) | |||
| 109 | if (ctxt != NULL) | 110 | if (ctxt != NULL) |
| 110 | ssh_gssapi_delete_ctx(&ctxt); | 111 | ssh_gssapi_delete_ctx(&ctxt); |
| 111 | xfree(doid); | 112 | xfree(doid); |
| 113 | authctxt->server_caused_failure = 1; | ||
| 112 | return (0); | 114 | return (0); |
| 113 | } | 115 | } |
| 114 | 116 | ||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: auth2.c,v 1.122 2010/08/31 09:58:37 djm Exp $ */ | 1 | /* $OpenBSD: auth2.c,v 1.123 2011/03/10 02:52:57 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
| 4 | * | 4 | * |
| @@ -274,6 +274,7 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) | |||
| 274 | #endif | 274 | #endif |
| 275 | 275 | ||
| 276 | authctxt->postponed = 0; | 276 | authctxt->postponed = 0; |
| 277 | authctxt->server_caused_failure = 0; | ||
| 277 | 278 | ||
| 278 | /* try to authenticate user */ | 279 | /* try to authenticate user */ |
| 279 | m = authmethod_lookup(method); | 280 | m = authmethod_lookup(method); |
| @@ -346,7 +347,8 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method) | |||
| 346 | } else { | 347 | } else { |
| 347 | 348 | ||
| 348 | /* Allow initial try of "none" auth without failure penalty */ | 349 | /* Allow initial try of "none" auth without failure penalty */ |
| 349 | if (authctxt->attempt > 1 || strcmp(method, "none") != 0) | 350 | if (!authctxt->server_caused_failure && |
| 351 | (authctxt->attempt > 1 || strcmp(method, "none") != 0)) | ||
| 350 | authctxt->failures++; | 352 | authctxt->failures++; |
| 351 | if (authctxt->failures >= options.max_authtries) { | 353 | if (authctxt->failures >= options.max_authtries) { |
| 352 | #ifdef SSH_AUDIT_EVENTS | 354 | #ifdef SSH_AUDIT_EVENTS |