diff options
Diffstat (limited to 'auth2.c')
-rw-r--r-- | auth2.c | 17 |
1 files changed, 14 insertions, 3 deletions
@@ -64,6 +64,7 @@ extern Authmethod method_passwd; | |||
64 | extern Authmethod method_kbdint; | 64 | extern Authmethod method_kbdint; |
65 | extern Authmethod method_hostbased; | 65 | extern Authmethod method_hostbased; |
66 | #ifdef GSSAPI | 66 | #ifdef GSSAPI |
67 | extern Authmethod method_gsskeyex; | ||
67 | extern Authmethod method_gssapi; | 68 | extern Authmethod method_gssapi; |
68 | #endif | 69 | #endif |
69 | 70 | ||
@@ -71,6 +72,7 @@ Authmethod *authmethods[] = { | |||
71 | &method_none, | 72 | &method_none, |
72 | &method_pubkey, | 73 | &method_pubkey, |
73 | #ifdef GSSAPI | 74 | #ifdef GSSAPI |
75 | &method_gsskeyex, | ||
74 | &method_gssapi, | 76 | &method_gssapi, |
75 | #endif | 77 | #endif |
76 | &method_passwd, | 78 | &method_passwd, |
@@ -141,7 +143,7 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) | |||
141 | { | 143 | { |
142 | Authctxt *authctxt = ctxt; | 144 | Authctxt *authctxt = ctxt; |
143 | Authmethod *m = NULL; | 145 | Authmethod *m = NULL; |
144 | char *user, *service, *method, *style = NULL; | 146 | char *user, *service, *method, *style = NULL, *role = NULL; |
145 | int authenticated = 0; | 147 | int authenticated = 0; |
146 | 148 | ||
147 | if (authctxt == NULL) | 149 | if (authctxt == NULL) |
@@ -153,8 +155,13 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) | |||
153 | debug("userauth-request for user %s service %s method %s", user, service, method); | 155 | debug("userauth-request for user %s service %s method %s", user, service, method); |
154 | debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); | 156 | debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); |
155 | 157 | ||
158 | if ((role = strchr(user, '/')) != NULL) | ||
159 | *role++ = 0; | ||
160 | |||
156 | if ((style = strchr(user, ':')) != NULL) | 161 | if ((style = strchr(user, ':')) != NULL) |
157 | *style++ = 0; | 162 | *style++ = 0; |
163 | else if (role && (style = strchr(role, ':')) != NULL) | ||
164 | *style++ = '\0'; | ||
158 | 165 | ||
159 | if (authctxt->attempt++ == 0) { | 166 | if (authctxt->attempt++ == 0) { |
160 | /* setup auth context */ | 167 | /* setup auth context */ |
@@ -178,8 +185,9 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) | |||
178 | use_privsep ? " [net]" : ""); | 185 | use_privsep ? " [net]" : ""); |
179 | authctxt->service = xstrdup(service); | 186 | authctxt->service = xstrdup(service); |
180 | authctxt->style = style ? xstrdup(style) : NULL; | 187 | authctxt->style = style ? xstrdup(style) : NULL; |
188 | authctxt->role = role ? xstrdup(role) : NULL; | ||
181 | if (use_privsep) | 189 | if (use_privsep) |
182 | mm_inform_authserv(service, style); | 190 | mm_inform_authserv(service, style, role); |
183 | } else if (strcmp(user, authctxt->user) != 0 || | 191 | } else if (strcmp(user, authctxt->user) != 0 || |
184 | strcmp(service, authctxt->service) != 0) { | 192 | strcmp(service, authctxt->service) != 0) { |
185 | packet_disconnect("Change of username or service not allowed: " | 193 | packet_disconnect("Change of username or service not allowed: " |
@@ -195,6 +203,7 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) | |||
195 | #endif | 203 | #endif |
196 | 204 | ||
197 | authctxt->postponed = 0; | 205 | authctxt->postponed = 0; |
206 | authctxt->server_caused_failure = 0; | ||
198 | 207 | ||
199 | /* try to authenticate user */ | 208 | /* try to authenticate user */ |
200 | m = authmethod_lookup(method); | 209 | m = authmethod_lookup(method); |
@@ -265,7 +274,9 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method) | |||
265 | /* now we can break out */ | 274 | /* now we can break out */ |
266 | authctxt->success = 1; | 275 | authctxt->success = 1; |
267 | } else { | 276 | } else { |
268 | if (authctxt->failures++ > options.max_authtries) { | 277 | /* Dont count server configuration issues against the client */ |
278 | if (!authctxt->server_caused_failure && | ||
279 | authctxt->failures++ > options.max_authtries) { | ||
269 | #ifdef SSH_AUDIT_EVENTS | 280 | #ifdef SSH_AUDIT_EVENTS |
270 | PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES)); | 281 | PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES)); |
271 | #endif | 282 | #endif |