From b8c98076283a43e21dc53580837f3296c186ecd6 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 26 Oct 2007 14:26:15 +1000 Subject: - dtucker@cvs.openbsd.org 2007/09/29 00:25:51 [auth2.c] Remove unused prototype. ok djm@ --- auth2.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'auth2.c') diff --git a/auth2.c b/auth2.c index bded8c2f8..03d7f09dc 100644 --- a/auth2.c +++ b/auth2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2.c,v 1.115 2007/04/14 22:01:58 stevesk Exp $ */ +/* $OpenBSD: auth2.c,v 1.116 2007/09/29 00:25:51 dtucker Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -87,7 +87,6 @@ static void input_userauth_request(int, u_int32_t, void *); /* helper */ static Authmethod *authmethod_lookup(const char *); static char *authmethods_get(void); -int user_key_allowed(struct passwd *, Key *); /* * loop until authctxt->success == TRUE -- cgit v1.2.3 From 4230a5dc305d1b39bc118befcc1ccfe933281b75 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Wed, 2 Jul 2008 22:56:09 +1000 Subject: - djm@cvs.openbsd.org 2008/07/02 12:36:39 [auth2-none.c auth2.c] Make protocol 2 MaxAuthTries behaviour a little more sensible: Check whether client has exceeded MaxAuthTries before running an authentication method and skip it if they have, previously it would always allow one try (for "none" auth). Preincrement failure count before post-auth test - previously this checked and postincremented, also to allow one "none" try. Together, these two changes always count the "none" auth method which could be skipped by a malicious client (e.g. an SSH worm) to get an extra attempt at a real auth method. They also make MaxAuthTries=0 a useful way to block users entirely (esp. in a sshd_config Match block). Also, move sending of any preauth banner from "none" auth method to the first call to input_userauth_request(), so worms that skip the "none" method get to see it too. --- ChangeLog | 18 +++++++++++++- auth2-none.c | 72 +++---------------------------------------------------- auth2.c | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++---- 3 files changed, 94 insertions(+), 74 deletions(-) (limited to 'auth2.c') diff --git a/ChangeLog b/ChangeLog index dc8048939..873e1459d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -33,6 +33,22 @@ Merge duplicate host key file checks, based in part on a patch from Rob Holland via bz #1348 . Also checks for non-regular files during protocol 1 RSA auth. ok djm@ + - djm@cvs.openbsd.org 2008/07/02 12:36:39 + [auth2-none.c auth2.c] + Make protocol 2 MaxAuthTries behaviour a little more sensible: + Check whether client has exceeded MaxAuthTries before running + an authentication method and skip it if they have, previously it + would always allow one try (for "none" auth). + Preincrement failure count before post-auth test - previously this + checked and postincremented, also to allow one "none" try. + Together, these two changes always count the "none" auth method + which could be skipped by a malicious client (e.g. an SSH worm) + to get an extra attempt at a real auth method. They also make + MaxAuthTries=0 a useful way to block users entirely (esp. in a + sshd_config Match block). + Also, move sending of any preauth banner from "none" auth method + to the first call to input_userauth_request(), so worms that skip + the "none" method get to see it too. 20080630 - (djm) OpenBSD CVS Sync @@ -4516,4 +4532,4 @@ OpenServer 6 and add osr5bigcrypt support so when someone migrates passwords between UnixWare and OpenServer they will still work. OK dtucker@ -$Id: ChangeLog,v 1.5047 2008/07/02 12:37:30 dtucker Exp $ +$Id: ChangeLog,v 1.5048 2008/07/02 12:56:09 dtucker Exp $ diff --git a/auth2-none.c b/auth2-none.c index 28e593e6c..10accfe55 100644 --- a/auth2-none.c +++ b/auth2-none.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-none.c,v 1.14 2007/08/23 03:22:16 djm Exp $ */ +/* $OpenBSD: auth2-none.c,v 1.15 2008/07/02 12:36:39 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -31,9 +31,10 @@ #include #include -#include #include +#include +#include "atomicio.h" #include "xmalloc.h" #include "key.h" #include "hostfile.h" @@ -42,7 +43,6 @@ #include "log.h" #include "buffer.h" #include "servconf.h" -#include "atomicio.h" #include "compat.h" #include "ssh2.h" #ifdef GSSAPI @@ -56,77 +56,11 @@ extern ServerOptions options; /* "none" is allowed only one time */ static int none_enabled = 1; -char * -auth2_read_banner(void) -{ - struct stat st; - char *banner = NULL; - size_t len, n; - int fd; - - if ((fd = open(options.banner, O_RDONLY)) == -1) - return (NULL); - if (fstat(fd, &st) == -1) { - close(fd); - return (NULL); - } - if (st.st_size > 1*1024*1024) { - close(fd); - return (NULL); - } - - len = (size_t)st.st_size; /* truncate */ - banner = xmalloc(len + 1); - n = atomicio(read, fd, banner, len); - close(fd); - - if (n != len) { - xfree(banner); - return (NULL); - } - banner[n] = '\0'; - - return (banner); -} - -void -userauth_send_banner(const char *msg) -{ - if (datafellows & SSH_BUG_BANNER) - return; - - packet_start(SSH2_MSG_USERAUTH_BANNER); - packet_put_cstring(msg); - packet_put_cstring(""); /* language, unused */ - packet_send(); - debug("%s: sent", __func__); -} - -static void -userauth_banner(void) -{ - char *banner = NULL; - - if (options.banner == NULL || - strcasecmp(options.banner, "none") == 0 || - (datafellows & SSH_BUG_BANNER) != 0) - return; - - if ((banner = PRIVSEP(auth2_read_banner())) == NULL) - goto done; - userauth_send_banner(banner); - -done: - if (banner) - xfree(banner); -} - static int userauth_none(Authctxt *authctxt) { none_enabled = 0; packet_check_eom(); - userauth_banner(); #ifdef HAVE_CYGWIN if (check_nt_auth(1, authctxt->pw) == 0) return (0); diff --git a/auth2.c b/auth2.c index 03d7f09dc..31f01f9fb 100644 --- a/auth2.c +++ b/auth2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2.c,v 1.116 2007/09/29 00:25:51 dtucker Exp $ */ +/* $OpenBSD: auth2.c,v 1.117 2008/07/02 12:36:39 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -26,10 +26,14 @@ #include "includes.h" #include +#include +#include +#include #include #include #include +#include #include "xmalloc.h" #include "ssh2.h" @@ -88,10 +92,74 @@ static void input_userauth_request(int, u_int32_t, void *); static Authmethod *authmethod_lookup(const char *); static char *authmethods_get(void); +char * +auth2_read_banner(void) +{ + struct stat st; + char *banner = NULL; + size_t len, n; + int fd; + + if ((fd = open(options.banner, O_RDONLY)) == -1) + return (NULL); + if (fstat(fd, &st) == -1) { + close(fd); + return (NULL); + } + if (st.st_size > 1*1024*1024) { + close(fd); + return (NULL); + } + + len = (size_t)st.st_size; /* truncate */ + banner = xmalloc(len + 1); + n = atomicio(read, fd, banner, len); + close(fd); + + if (n != len) { + xfree(banner); + return (NULL); + } + banner[n] = '\0'; + + return (banner); +} + +void +userauth_send_banner(const char *msg) +{ + if (datafellows & SSH_BUG_BANNER) + return; + + packet_start(SSH2_MSG_USERAUTH_BANNER); + packet_put_cstring(msg); + packet_put_cstring(""); /* language, unused */ + packet_send(); + debug("%s: sent", __func__); +} + +static void +userauth_banner(void) +{ + char *banner = NULL; + + if (options.banner == NULL || + strcasecmp(options.banner, "none") == 0 || + (datafellows & SSH_BUG_BANNER) != 0) + return; + + if ((banner = PRIVSEP(auth2_read_banner())) == NULL) + goto done; + userauth_send_banner(banner); + +done: + if (banner) + xfree(banner); +} + /* * loop until authctxt->success == TRUE */ - void do_authentication2(Authctxt *authctxt) { @@ -179,6 +247,7 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) authctxt->style = style ? xstrdup(style) : NULL; if (use_privsep) mm_inform_authserv(service, style); + userauth_banner(); } else if (strcmp(user, authctxt->user) != 0 || strcmp(service, authctxt->service) != 0) { packet_disconnect("Change of username or service not allowed: " @@ -197,7 +266,7 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) /* try to authenticate user */ m = authmethod_lookup(method); - if (m != NULL) { + if (m != NULL && authctxt->failures < options.max_authtries) { debug2("input_userauth_request: try method %s", method); authenticated = m->userauth(authctxt); } @@ -264,7 +333,7 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method) /* now we can break out */ authctxt->success = 1; } else { - if (authctxt->failures++ > options.max_authtries) { + if (++authctxt->failures > options.max_authtries) { #ifdef SSH_AUDIT_EVENTS PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES)); #endif @@ -320,3 +389,4 @@ authmethod_lookup(const char *name) name ? name : "NULL"); return NULL; } + -- cgit v1.2.3 From 7c99b1ceda9f6bfb1dc36bae30de0c6a49c6ec69 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 4 Jul 2008 12:53:23 +1000 Subject: - djm@cvs.openbsd.org 2008/07/02 13:30:34 [auth2.c] really really remove the freebie "none" auth try for protocol 2 --- ChangeLog | 8 +++++++- auth2.c | 4 ++-- 2 files changed, 9 insertions(+), 3 deletions(-) (limited to 'auth2.c') diff --git a/ChangeLog b/ChangeLog index 873e1459d..6f69442f4 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +20080704 + - (dtucker) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2008/07/02 13:30:34 + [auth2.c] + really really remove the freebie "none" auth try for protocol 2 + 20080702 - (dtucker) OpenBSD CVS Sync - djm@cvs.openbsd.org 2008/06/30 08:05:59 @@ -4532,4 +4538,4 @@ OpenServer 6 and add osr5bigcrypt support so when someone migrates passwords between UnixWare and OpenServer they will still work. OK dtucker@ -$Id: ChangeLog,v 1.5048 2008/07/02 12:56:09 dtucker Exp $ +$Id: ChangeLog,v 1.5049 2008/07/04 02:53:23 dtucker Exp $ diff --git a/auth2.c b/auth2.c index 31f01f9fb..4b96c652f 100644 --- a/auth2.c +++ b/auth2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2.c,v 1.117 2008/07/02 12:36:39 djm Exp $ */ +/* $OpenBSD: auth2.c,v 1.118 2008/07/02 13:30:34 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -333,7 +333,7 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method) /* now we can break out */ authctxt->success = 1; } else { - if (++authctxt->failures > options.max_authtries) { + if (++authctxt->failures >= options.max_authtries) { #ifdef SSH_AUDIT_EVENTS PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES)); #endif -- cgit v1.2.3 From 0b4d48ba74cca40e983d96ba13e66908cf5b5666 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sat, 5 Jul 2008 09:44:53 +1000 Subject: - djm@cvs.openbsd.org 2008/07/04 23:30:16 [auth1.c auth2.c] Make protocol 1 MaxAuthTries logic match protocol 2's. Do not treat the first protocol 2 authentication attempt as a failure IFF it is for method "none". Makes MaxAuthTries' user-visible behaviour identical for protocol 1 vs 2. ok dtucker@ --- ChangeLog | 10 +++++++++- auth1.c | 6 ++++-- auth2.c | 9 +++++++-- 3 files changed, 20 insertions(+), 5 deletions(-) (limited to 'auth2.c') diff --git a/ChangeLog b/ChangeLog index 6cd833b32..225eff6cc 100644 --- a/ChangeLog +++ b/ChangeLog @@ -9,6 +9,14 @@ - djm@cvs.openbsd.org 2008/07/04 23:08:25 [packet.c] handle EINTR in packet_write_poll()l ok dtucker@ + - djm@cvs.openbsd.org 2008/07/04 23:30:16 + [auth1.c auth2.c] + Make protocol 1 MaxAuthTries logic match protocol 2's. + Do not treat the first protocol 2 authentication attempt as + a failure IFF it is for method "none". + Makes MaxAuthTries' user-visible behaviour identical for + protocol 1 vs 2. + ok dtucker@ 20080704 - (dtucker) OpenBSD CVS Sync @@ -4582,4 +4590,4 @@ OpenServer 6 and add osr5bigcrypt support so when someone migrates passwords between UnixWare and OpenServer they will still work. OK dtucker@ -$Id: ChangeLog,v 1.5061 2008/07/04 23:40:56 djm Exp $ +$Id: ChangeLog,v 1.5062 2008/07/04 23:44:53 djm Exp $ diff --git a/auth1.c b/auth1.c index b5798f634..834ef0452 100644 --- a/auth1.c +++ b/auth1.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth1.c,v 1.72 2008/05/08 12:02:23 djm Exp $ */ +/* $OpenBSD: auth1.c,v 1.73 2008/07/04 23:30:16 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -284,6 +284,8 @@ do_authloop(Authctxt *authctxt) type != SSH_CMSG_AUTH_TIS_RESPONSE) abandon_challenge_response(authctxt); + if (authctxt->failures >= options.max_authtries) + goto skip; if ((meth = lookup_authmethod1(type)) == NULL) { logit("Unknown message during authentication: " "type %d", type); @@ -368,7 +370,7 @@ do_authloop(Authctxt *authctxt) if (authenticated) return; - if (authctxt->failures++ > options.max_authtries) { + if (++authctxt->failures >= options.max_authtries) { #ifdef SSH_AUDIT_EVENTS PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES)); #endif diff --git a/auth2.c b/auth2.c index 4b96c652f..a835abfc6 100644 --- a/auth2.c +++ b/auth2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2.c,v 1.118 2008/07/02 13:30:34 djm Exp $ */ +/* $OpenBSD: auth2.c,v 1.119 2008/07/04 23:30:16 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -36,6 +36,7 @@ #include #include "xmalloc.h" +#include "atomicio.h" #include "ssh2.h" #include "packet.h" #include "log.h" @@ -333,7 +334,11 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method) /* now we can break out */ authctxt->success = 1; } else { - if (++authctxt->failures >= options.max_authtries) { + + /* Allow initial try of "none" auth without failure penalty */ + if (authctxt->attempt > 1 || strcmp(method, "none") != 0) + authctxt->failures++; + if (authctxt->failures >= options.max_authtries) { #ifdef SSH_AUDIT_EVENTS PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES)); #endif -- cgit v1.2.3