summaryrefslogtreecommitdiff
path: root/auth2.c
diff options
context:
space:
mode:
Diffstat (limited to 'auth2.c')
-rw-r--r--auth2.c17
1 files changed, 14 insertions, 3 deletions
diff --git a/auth2.c b/auth2.c
index b1a4e3635..6a1653064 100644
--- a/auth2.c
+++ b/auth2.c
@@ -64,6 +64,7 @@ extern Authmethod method_passwd;
64extern Authmethod method_kbdint; 64extern Authmethod method_kbdint;
65extern Authmethod method_hostbased; 65extern Authmethod method_hostbased;
66#ifdef GSSAPI 66#ifdef GSSAPI
67extern Authmethod method_gsskeyex;
67extern Authmethod method_gssapi; 68extern Authmethod method_gssapi;
68#endif 69#endif
69 70
@@ -71,6 +72,7 @@ Authmethod *authmethods[] = {
71 &method_none, 72 &method_none,
72 &method_pubkey, 73 &method_pubkey,
73#ifdef GSSAPI 74#ifdef GSSAPI
75 &method_gsskeyex,
74 &method_gssapi, 76 &method_gssapi,
75#endif 77#endif
76 &method_passwd, 78 &method_passwd,
@@ -141,7 +143,7 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
141{ 143{
142 Authctxt *authctxt = ctxt; 144 Authctxt *authctxt = ctxt;
143 Authmethod *m = NULL; 145 Authmethod *m = NULL;
144 char *user, *service, *method, *style = NULL; 146 char *user, *service, *method, *style = NULL, *role = NULL;
145 int authenticated = 0; 147 int authenticated = 0;
146 148
147 if (authctxt == NULL) 149 if (authctxt == NULL)
@@ -153,8 +155,13 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
153 debug("userauth-request for user %s service %s method %s", user, service, method); 155 debug("userauth-request for user %s service %s method %s", user, service, method);
154 debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); 156 debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
155 157
158 if ((role = strchr(user, '/')) != NULL)
159 *role++ = 0;
160
156 if ((style = strchr(user, ':')) != NULL) 161 if ((style = strchr(user, ':')) != NULL)
157 *style++ = 0; 162 *style++ = 0;
163 else if (role && (style = strchr(role, ':')) != NULL)
164 *style++ = '\0';
158 165
159 if (authctxt->attempt++ == 0) { 166 if (authctxt->attempt++ == 0) {
160 /* setup auth context */ 167 /* setup auth context */
@@ -178,8 +185,9 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
178 use_privsep ? " [net]" : ""); 185 use_privsep ? " [net]" : "");
179 authctxt->service = xstrdup(service); 186 authctxt->service = xstrdup(service);
180 authctxt->style = style ? xstrdup(style) : NULL; 187 authctxt->style = style ? xstrdup(style) : NULL;
188 authctxt->role = role ? xstrdup(role) : NULL;
181 if (use_privsep) 189 if (use_privsep)
182 mm_inform_authserv(service, style); 190 mm_inform_authserv(service, style, role);
183 } else if (strcmp(user, authctxt->user) != 0 || 191 } else if (strcmp(user, authctxt->user) != 0 ||
184 strcmp(service, authctxt->service) != 0) { 192 strcmp(service, authctxt->service) != 0) {
185 packet_disconnect("Change of username or service not allowed: " 193 packet_disconnect("Change of username or service not allowed: "
@@ -195,6 +203,7 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
195#endif 203#endif
196 204
197 authctxt->postponed = 0; 205 authctxt->postponed = 0;
206 authctxt->server_caused_failure = 0;
198 207
199 /* try to authenticate user */ 208 /* try to authenticate user */
200 m = authmethod_lookup(method); 209 m = authmethod_lookup(method);
@@ -265,7 +274,9 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
265 /* now we can break out */ 274 /* now we can break out */
266 authctxt->success = 1; 275 authctxt->success = 1;
267 } else { 276 } else {
268 if (authctxt->failures++ > options.max_authtries) { 277 /* Dont count server configuration issues against the client */
278 if (!authctxt->server_caused_failure &&
279 authctxt->failures++ > options.max_authtries) {
269#ifdef SSH_AUDIT_EVENTS 280#ifdef SSH_AUDIT_EVENTS
270 PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES)); 281 PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES));
271#endif 282#endif
generated by cgit v1.2.3 (git 2.39.1) at 2024-08-30 23:47:28 +0000