summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--ChangeLog5
-rw-r--r--auth.c4
-rw-r--r--auth.h4
-rw-r--r--auth1.c4
-rw-r--r--auth2.c4
-rw-r--r--servconf.c13
-rw-r--r--servconf.h4
-rw-r--r--sshd_config3
-rw-r--r--sshd_config.56
9 files changed, 32 insertions, 15 deletions
diff --git a/ChangeLog b/ChangeLog
index ff05bc462..9ce0adb09 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -21,6 +21,9 @@
21 - jmc@cvs.openbsd.org 2004/05/22 16:01:05 21 - jmc@cvs.openbsd.org 2004/05/22 16:01:05
22 [ssh.1] 22 [ssh.1]
23 kill whitespace at eol; 23 kill whitespace at eol;
24 - dtucker@cvs.openbsd.org 2004/05/23 23:59:53
25 [auth.c auth.h auth1.c auth2.c servconf.c servconf.h sshd_config sshd_config.5]
26 Add MaxAuthTries sshd config option; ok markus@
24 27
2520040523 2820040523
26 - (djm) [sshd_config] Explain consequences of UsePAM=yes a little better in 29 - (djm) [sshd_config] Explain consequences of UsePAM=yes a little better in
@@ -1150,4 +1153,4 @@
1150 - (djm) Trim deprecated options from INSTALL. Mention UsePAM 1153 - (djm) Trim deprecated options from INSTALL. Mention UsePAM
1151 - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu 1154 - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
1152 1155
1153$Id: ChangeLog,v 1.3364 2004/05/24 00:35:14 dtucker Exp $ 1156$Id: ChangeLog,v 1.3365 2004/05/24 00:36:23 dtucker Exp $
diff --git a/auth.c b/auth.c
index 4f93ce5ae..ef3cdba3c 100644
--- a/auth.c
+++ b/auth.c
@@ -23,7 +23,7 @@
23 */ 23 */
24 24
25#include "includes.h" 25#include "includes.h"
26RCSID("$OpenBSD: auth.c,v 1.53 2004/05/11 19:01:43 deraadt Exp $"); 26RCSID("$OpenBSD: auth.c,v 1.54 2004/05/23 23:59:53 dtucker Exp $");
27 27
28#ifdef HAVE_LOGIN_H 28#ifdef HAVE_LOGIN_H
29#include <login.h> 29#include <login.h>
@@ -242,7 +242,7 @@ auth_log(Authctxt *authctxt, int authenticated, char *method, char *info)
242 /* Raise logging level */ 242 /* Raise logging level */
243 if (authenticated == 1 || 243 if (authenticated == 1 ||
244 !authctxt->valid || 244 !authctxt->valid ||
245 authctxt->failures >= AUTH_FAIL_LOG || 245 authctxt->failures >= options.max_authtries / 2 ||
246 strcmp(method, "password") == 0) 246 strcmp(method, "password") == 0)
247 authlog = logit; 247 authlog = logit;
248 248
diff --git a/auth.h b/auth.h
index 3a7d222ef..2f094403d 100644
--- a/auth.h
+++ b/auth.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth.h,v 1.49 2004/01/30 09:48:57 markus Exp $ */ 1/* $OpenBSD: auth.h,v 1.50 2004/05/23 23:59:53 dtucker Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2000 Markus Friedl. All rights reserved. 4 * Copyright (c) 2000 Markus Friedl. All rights reserved.
@@ -181,8 +181,6 @@ void auth_debug_reset(void);
181 181
182struct passwd *fakepw(void); 182struct passwd *fakepw(void);
183 183
184#define AUTH_FAIL_MAX 6
185#define AUTH_FAIL_LOG (AUTH_FAIL_MAX/2)
186#define AUTH_FAIL_MSG "Too many authentication failures for %.100s" 184#define AUTH_FAIL_MSG "Too many authentication failures for %.100s"
187 185
188#define SKEY_PROMPT "\nS/Key Password: " 186#define SKEY_PROMPT "\nS/Key Password: "
diff --git a/auth1.c b/auth1.c
index 376007a05..471f27172 100644
--- a/auth1.c
+++ b/auth1.c
@@ -10,7 +10,7 @@
10 */ 10 */
11 11
12#include "includes.h" 12#include "includes.h"
13RCSID("$OpenBSD: auth1.c,v 1.56 2004/05/09 01:19:27 djm Exp $"); 13RCSID("$OpenBSD: auth1.c,v 1.57 2004/05/23 23:59:53 dtucker Exp $");
14 14
15#include "xmalloc.h" 15#include "xmalloc.h"
16#include "rsa.h" 16#include "rsa.h"
@@ -261,7 +261,7 @@ do_authloop(Authctxt *authctxt)
261 if (authenticated) 261 if (authenticated)
262 return; 262 return;
263 263
264 if (authctxt->failures++ > AUTH_FAIL_MAX) 264 if (authctxt->failures++ > options.max_authtries)
265 packet_disconnect(AUTH_FAIL_MSG, authctxt->user); 265 packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
266 266
267 packet_start(SSH_SMSG_FAILURE); 267 packet_start(SSH_SMSG_FAILURE);
diff --git a/auth2.c b/auth2.c
index 1177efa73..e4a3cded9 100644
--- a/auth2.c
+++ b/auth2.c
@@ -23,7 +23,7 @@
23 */ 23 */
24 24
25#include "includes.h" 25#include "includes.h"
26RCSID("$OpenBSD: auth2.c,v 1.104 2003/11/04 08:54:09 djm Exp $"); 26RCSID("$OpenBSD: auth2.c,v 1.105 2004/05/23 23:59:53 dtucker Exp $");
27 27
28#include "ssh2.h" 28#include "ssh2.h"
29#include "xmalloc.h" 29#include "xmalloc.h"
@@ -243,7 +243,7 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
243 /* now we can break out */ 243 /* now we can break out */
244 authctxt->success = 1; 244 authctxt->success = 1;
245 } else { 245 } else {
246 if (authctxt->failures++ > AUTH_FAIL_MAX) 246 if (authctxt->failures++ > options.max_authtries)
247 packet_disconnect(AUTH_FAIL_MSG, authctxt->user); 247 packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
248 methods = authmethods_get(); 248 methods = authmethods_get();
249 packet_start(SSH2_MSG_USERAUTH_FAILURE); 249 packet_start(SSH2_MSG_USERAUTH_FAILURE);
diff --git a/servconf.c b/servconf.c
index 467ad64e8..ef8651651 100644
--- a/servconf.c
+++ b/servconf.c
@@ -10,7 +10,7 @@
10 */ 10 */
11 11
12#include "includes.h" 12#include "includes.h"
13RCSID("$OpenBSD: servconf.c,v 1.132 2004/05/08 00:01:37 deraadt Exp $"); 13RCSID("$OpenBSD: servconf.c,v 1.133 2004/05/23 23:59:53 dtucker Exp $");
14 14
15#include "ssh.h" 15#include "ssh.h"
16#include "log.h" 16#include "log.h"
@@ -94,6 +94,7 @@ initialize_server_options(ServerOptions *options)
94 options->max_startups_begin = -1; 94 options->max_startups_begin = -1;
95 options->max_startups_rate = -1; 95 options->max_startups_rate = -1;
96 options->max_startups = -1; 96 options->max_startups = -1;
97 options->max_authtries = -1;
97 options->banner = NULL; 98 options->banner = NULL;
98 options->use_dns = -1; 99 options->use_dns = -1;
99 options->client_alive_interval = -1; 100 options->client_alive_interval = -1;
@@ -212,6 +213,8 @@ fill_default_server_options(ServerOptions *options)
212 options->max_startups_rate = 100; /* 100% */ 213 options->max_startups_rate = 100; /* 100% */
213 if (options->max_startups_begin == -1) 214 if (options->max_startups_begin == -1)
214 options->max_startups_begin = options->max_startups; 215 options->max_startups_begin = options->max_startups;
216 if (options->max_authtries == -1)
217 options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
215 if (options->use_dns == -1) 218 if (options->use_dns == -1)
216 options->use_dns = 1; 219 options->use_dns = 1;
217 if (options->client_alive_interval == -1) 220 if (options->client_alive_interval == -1)
@@ -262,7 +265,8 @@ typedef enum {
262 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, 265 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
263 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, 266 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
264 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, 267 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
265 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups, 268 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
269 sMaxStartups, sMaxAuthTries,
266 sBanner, sUseDNS, sHostbasedAuthentication, 270 sBanner, sUseDNS, sHostbasedAuthentication,
267 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, 271 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
268 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, 272 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
@@ -357,6 +361,7 @@ static struct {
357 { "gatewayports", sGatewayPorts }, 361 { "gatewayports", sGatewayPorts },
358 { "subsystem", sSubsystem }, 362 { "subsystem", sSubsystem },
359 { "maxstartups", sMaxStartups }, 363 { "maxstartups", sMaxStartups },
364 { "maxauthtries", sMaxAuthTries },
360 { "banner", sBanner }, 365 { "banner", sBanner },
361 { "usedns", sUseDNS }, 366 { "usedns", sUseDNS },
362 { "verifyreversemapping", sDeprecated }, 367 { "verifyreversemapping", sDeprecated },
@@ -869,6 +874,10 @@ parse_flag:
869 options->max_startups = options->max_startups_begin; 874 options->max_startups = options->max_startups_begin;
870 break; 875 break;
871 876
877 case sMaxAuthTries:
878 intptr = &options->max_authtries;
879 goto parse_int;
880
872 case sBanner: 881 case sBanner:
873 charptr = &options->banner; 882 charptr = &options->banner;
874 goto parse_filename; 883 goto parse_filename;
diff --git a/servconf.h b/servconf.h
index 1c6296acc..36d2e5ca6 100644
--- a/servconf.h
+++ b/servconf.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: servconf.h,v 1.68 2004/04/27 09:46:37 djm Exp $ */ 1/* $OpenBSD: servconf.h,v 1.69 2004/05/23 23:59:53 dtucker Exp $ */
2 2
3/* 3/*
4 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -33,6 +33,7 @@
33#define PERMIT_NO_PASSWD 2 33#define PERMIT_NO_PASSWD 2
34#define PERMIT_YES 3 34#define PERMIT_YES 3
35 35
36#define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */
36 37
37typedef struct { 38typedef struct {
38 u_int num_ports; 39 u_int num_ports;
@@ -114,6 +115,7 @@ typedef struct {
114 int max_startups_begin; 115 int max_startups_begin;
115 int max_startups_rate; 116 int max_startups_rate;
116 int max_startups; 117 int max_startups;
118 int max_authtries;
117 char *banner; /* SSH-2 banner message */ 119 char *banner; /* SSH-2 banner message */
118 int use_dns; 120 int use_dns;
119 int client_alive_interval; /* 121 int client_alive_interval; /*
diff --git a/sshd_config b/sshd_config
index 2b8d9f695..65e6f1c32 100644
--- a/sshd_config
+++ b/sshd_config
@@ -1,4 +1,4 @@
1# $OpenBSD: sshd_config,v 1.68 2003/12/29 16:39:50 millert Exp $ 1# $OpenBSD: sshd_config,v 1.69 2004/05/23 23:59:53 dtucker Exp $
2 2
3# This is the sshd server system-wide configuration file. See 3# This is the sshd server system-wide configuration file. See
4# sshd_config(5) for more information. 4# sshd_config(5) for more information.
@@ -35,6 +35,7 @@
35#LoginGraceTime 2m 35#LoginGraceTime 2m
36#PermitRootLogin yes 36#PermitRootLogin yes
37#StrictModes yes 37#StrictModes yes
38#MaxAuthTries 6
38 39
39#RSAAuthentication yes 40#RSAAuthentication yes
40#PubkeyAuthentication yes 41#PubkeyAuthentication yes
diff --git a/sshd_config.5 b/sshd_config.5
index 05558c569..8edaf030c 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -34,7 +34,7 @@
34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36.\" 36.\"
37.\" $OpenBSD: sshd_config.5,v 1.32 2004/04/28 07:02:56 jmc Exp $ 37.\" $OpenBSD: sshd_config.5,v 1.33 2004/05/23 23:59:53 dtucker Exp $
38.Dd September 25, 1999 38.Dd September 25, 1999
39.Dt SSHD_CONFIG 5 39.Dt SSHD_CONFIG 5
40.Os 40.Os
@@ -402,6 +402,10 @@ for data integrity protection.
402Multiple algorithms must be comma-separated. 402Multiple algorithms must be comma-separated.
403The default is 403The default is
404.Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 . 404.Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 .
405.It Cm MaxAuthTries
406Specifies the maximum number of authentication attempts permitted per
407connection. Once the number of failures reaches half this value, additional
408failures are logged. The default is 6.
405.It Cm MaxStartups 409.It Cm MaxStartups
406Specifies the maximum number of concurrent unauthenticated connections to the 410Specifies the maximum number of concurrent unauthenticated connections to the
407.Nm sshd 411.Nm sshd
generated by cgit v1.2.3 (git 2.39.1) at 2024-08-31 06:50:52 +0000