3 files changed, 20 insertions, 5 deletions
diff --git a/ChangeLog b/ChangeLog
index 6cd833b32..225eff6cc 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -9,6 +9,14 @@
   - djm@cvs.openbsd.org 2008/07/04 23:08:25
     [packet.c]
     handle EINTR in packet_write_poll()l ok dtucker@
+   - djm@cvs.openbsd.org 2008/07/04 23:30:16
+     [auth1.c auth2.c]
+     Make protocol 1 MaxAuthTries logic match protocol 2's.
+     Do not treat the first protocol 2 authentication attempt as
+     a failure IFF it is for method "none".
+     Makes MaxAuthTries' user-visible behaviour identical for
+     protocol 1 vs 2.
+     ok dtucker@
 20080704
 - (dtucker) OpenBSD CVS Sync
@@ -4582,4 +4590,4 @@
   OpenServer 6 and add osr5bigcrypt support so when someone migrates
   passwords between UnixWare and OpenServer they will still work. OK dtucker@
-$Id: ChangeLog,v 1.5061 2008/07/04 23:40:56 djm Exp $
+$Id: ChangeLog,v 1.5062 2008/07/04 23:44:53 djm Exp $
diff --git a/auth1.c b/auth1.c
index b5798f634..834ef0452 100644
--- a/auth1.c
+++ b/auth1.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth1.c,v 1.72 2008/05/08 12:02:23 djm Exp $ */
+/* $OpenBSD: auth1.c,v 1.73 2008/07/04 23:30:16 djm Exp $ */
 /*
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
 *                    All rights reserved
@@ -284,6 +284,8 @@ do_authloop(Authctxt *authctxt)
                    type != SSH_CMSG_AUTH_TIS_RESPONSE)
                        abandon_challenge_response(authctxt);
+                if (authctxt->failures >= options.max_authtries)
+                        goto skip;
                if ((meth = lookup_authmethod1(type)) == NULL) {
                        logit("Unknown message during authentication: "
                            "type %d", type);
@@ -368,7 +370,7 @@ do_authloop(Authctxt *authctxt)
                if (authenticated)
                        return;
-                if (authctxt->failures++ > options.max_authtries) {
+                if (++authctxt->failures >= options.max_authtries) {
 #ifdef SSH_AUDIT_EVENTS
                        PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES));
 #endif
diff --git a/auth2.c b/auth2.c
index 4b96c652f..a835abfc6 100644
--- a/auth2.c
+++ b/auth2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2.c,v 1.118 2008/07/02 13:30:34 djm Exp $ */
+/* $OpenBSD: auth2.c,v 1.119 2008/07/04 23:30:16 djm Exp $ */
 /*
 * Copyright (c) 2000 Markus Friedl.  All rights reserved.
 *
@@ -36,6 +36,7 @@
 #include <unistd.h>
 #include "xmalloc.h"
+#include "atomicio.h"
 #include "ssh2.h"
 #include "packet.h"
 #include "log.h"
@@ -333,7 +334,11 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
                /* now we can break out */
                authctxt->success = 1;
        } else {
-                if (++authctxt->failures >= options.max_authtries) {
+                /* Allow initial try of "none" auth without failure penalty */
+                if (authctxt->attempt > 1 || strcmp(method, "none") != 0)
+                        authctxt->failures++;
+                if (authctxt->failures >= options.max_authtries) {
 #ifdef SSH_AUDIT_EVENTS
                        PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES));
 #endif

diff --git a/ChangeLog b/ChangeLog index 6cd833b32..225eff6cc 100644 --- a/ChangeLog +++ b/ChangeLog
@@ -9,6 +9,14 @@
9	- djm@cvs.openbsd.org 2008/07/04 23:08:25	9	- djm@cvs.openbsd.org 2008/07/04 23:08:25
10	[packet.c]	10	[packet.c]
11	handle EINTR in packet_write_poll()l ok dtucker@	11	handle EINTR in packet_write_poll()l ok dtucker@
		12	- djm@cvs.openbsd.org 2008/07/04 23:30:16
		13	[auth1.c auth2.c]
		14	Make protocol 1 MaxAuthTries logic match protocol 2's.
		15	Do not treat the first protocol 2 authentication attempt as
		16	a failure IFF it is for method "none".
		17	Makes MaxAuthTries' user-visible behaviour identical for
		18	protocol 1 vs 2.
		19	ok dtucker@
12		20
13	20080704	21	20080704
14	- (dtucker) OpenBSD CVS Sync	22	- (dtucker) OpenBSD CVS Sync
@@ -4582,4 +4590,4 @@
4582	OpenServer 6 and add osr5bigcrypt support so when someone migrates	4590	OpenServer 6 and add osr5bigcrypt support so when someone migrates
4583	passwords between UnixWare and OpenServer they will still work. OK dtucker@	4591	passwords between UnixWare and OpenServer they will still work. OK dtucker@
4584		4592
4585	$Id: ChangeLog,v 1.5061 2008/07/04 23:40:56 djm Exp $	4593	$Id: ChangeLog,v 1.5062 2008/07/04 23:44:53 djm Exp $


diff --git a/auth1.c b/auth1.c index b5798f634..834ef0452 100644 --- a/auth1.c +++ b/auth1.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: auth1.c,v 1.72 2008/05/08 12:02:23 djm Exp $ */	1	/* $OpenBSD: auth1.c,v 1.73 2008/07/04 23:30:16 djm Exp $ */
2	/*	2	/*
3	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland	3	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4	* All rights reserved	4	* All rights reserved
@@ -284,6 +284,8 @@ do_authloop(Authctxt *authctxt)
284	type != SSH_CMSG_AUTH_TIS_RESPONSE)	284	type != SSH_CMSG_AUTH_TIS_RESPONSE)
285	abandon_challenge_response(authctxt);	285	abandon_challenge_response(authctxt);
286		286
		287	if (authctxt->failures >= options.max_authtries)
		288	goto skip;
287	if ((meth = lookup_authmethod1(type)) == NULL) {	289	if ((meth = lookup_authmethod1(type)) == NULL) {
288	logit("Unknown message during authentication: "	290	logit("Unknown message during authentication: "
289	"type %d", type);	291	"type %d", type);
@@ -368,7 +370,7 @@ do_authloop(Authctxt *authctxt)
368	if (authenticated)	370	if (authenticated)
369	return;	371	return;
370		372
371	if (authctxt->failures++ > options.max_authtries) {	373	if (++authctxt->failures >= options.max_authtries) {
372	#ifdef SSH_AUDIT_EVENTS	374	#ifdef SSH_AUDIT_EVENTS
373	PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES));	375	PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES));
374	#endif	376	#endif


diff --git a/auth2.c b/auth2.c index 4b96c652f..a835abfc6 100644 --- a/auth2.c +++ b/auth2.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: auth2.c,v 1.118 2008/07/02 13:30:34 djm Exp $ */	1	/* $OpenBSD: auth2.c,v 1.119 2008/07/04 23:30:16 djm Exp $ */
2	/*	2	/*
3	* Copyright (c) 2000 Markus Friedl. All rights reserved.	3	* Copyright (c) 2000 Markus Friedl. All rights reserved.
4	*	4	*
@@ -36,6 +36,7 @@
36	#include <unistd.h>	36	#include <unistd.h>
37		37
38	#include "xmalloc.h"	38	#include "xmalloc.h"
		39	#include "atomicio.h"
39	#include "ssh2.h"	40	#include "ssh2.h"
40	#include "packet.h"	41	#include "packet.h"
41	#include "log.h"	42	#include "log.h"
@@ -333,7 +334,11 @@ userauth_finish(Authctxt authctxt, int authenticated, char method)
333	/* now we can break out */	334	/* now we can break out */
334	authctxt->success = 1;	335	authctxt->success = 1;
335	} else {	336	} else {
336	if (++authctxt->failures >= options.max_authtries) {	337
		338	/* Allow initial try of "none" auth without failure penalty */
		339	if (authctxt->attempt > 1 \|\| strcmp(method, "none") != 0)
		340	authctxt->failures++;
		341	if (authctxt->failures >= options.max_authtries) {
337	#ifdef SSH_AUDIT_EVENTS	342	#ifdef SSH_AUDIT_EVENTS
338	PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES));	343	PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES));
339	#endif	344	#endif