mirror of git://anongit.mindrot.org/openssh.git
- OpenBSD CVS Sync
- djm@cvs.openbsd.org 2011/03/10 02:52:57 [auth2-gss.c auth2.c] allow GSSAPI authentication to detect when a server-side failure causes authentication failure and don't count such failures against MaxAuthTries; bz#1244 from simon AT sxw.org.uk; ok markus@ before lock
This commit is contained in:
Damien Miller
parent
f22019bdbf
commit
3fcdfd55a3
|
|
@ -8,6 +8,12 @@
|
||||||
[regress/README.regress] Remove ssh-rand-helper and all its
|
[regress/README.regress] Remove ssh-rand-helper and all its
|
||||||
tentacles. PRNGd seeding has been rolled into entropy.c directly.
|
tentacles. PRNGd seeding has been rolled into entropy.c directly.
|
||||||
Thanks to tim@ for testing on affected platforms.
|
Thanks to tim@ for testing on affected platforms.
|
||||||
|
- OpenBSD CVS Sync
|
||||||
|
- djm@cvs.openbsd.org 2011/03/10 02:52:57
|
||||||
|
[auth2-gss.c auth2.c]
|
||||||
|
allow GSSAPI authentication to detect when a server-side failure causes
|
||||||
|
authentication failure and don't count such failures against MaxAuthTries;
|
||||||
|
bz#1244 from simon AT sxw.org.uk; ok markus@ before lock
|
||||||
|
|
||||||
20110221
|
20110221
|
||||||
- (dtucker) [contrib/cygwin/ssh-host-config] From Corinna: revamp of the
|
- (dtucker) [contrib/cygwin/ssh-host-config] From Corinna: revamp of the
|
||||||
|
|
|
||||||
|
|
@ -1,4 +1,4 @@
|
||||||
/* $OpenBSD: auth2-gss.c,v 1.16 2007/10/29 00:52:45 dtucker Exp $ */
|
/* $OpenBSD: auth2-gss.c,v 1.17 2011/03/10 02:52:57 djm Exp $ */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
|
* Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
|
||||||
|
|
@ -102,6 +102,7 @@ userauth_gssapi(Authctxt *authctxt)
|
||||||
|
|
||||||
if (!present) {
|
if (!present) {
|
||||||
xfree(doid);
|
xfree(doid);
|
||||||
|
authctxt->server_caused_failure = 1;
|
||||||
return (0);
|
return (0);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -109,6 +110,7 @@ userauth_gssapi(Authctxt *authctxt)
|
||||||
if (ctxt != NULL)
|
if (ctxt != NULL)
|
||||||
ssh_gssapi_delete_ctx(&ctxt);
|
ssh_gssapi_delete_ctx(&ctxt);
|
||||||
xfree(doid);
|
xfree(doid);
|
||||||
|
authctxt->server_caused_failure = 1;
|
||||||
return (0);
|
return (0);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
6
auth2.c
6
auth2.c
|
|
@ -1,4 +1,4 @@
|
||||||
/* $OpenBSD: auth2.c,v 1.122 2010/08/31 09:58:37 djm Exp $ */
|
/* $OpenBSD: auth2.c,v 1.123 2011/03/10 02:52:57 djm Exp $ */
|
||||||
/*
|
/*
|
||||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||||
*
|
*
|
||||||
|
|
@ -274,6 +274,7 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
authctxt->postponed = 0;
|
authctxt->postponed = 0;
|
||||||
|
authctxt->server_caused_failure = 0;
|
||||||
|
|
||||||
/* try to authenticate user */
|
/* try to authenticate user */
|
||||||
m = authmethod_lookup(method);
|
m = authmethod_lookup(method);
|
||||||
|
|
@ -346,7 +347,8 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
|
||||||
} else {
|
} else {
|
||||||
|
|
||||||
/* Allow initial try of "none" auth without failure penalty */
|
/* Allow initial try of "none" auth without failure penalty */
|
||||||
if (authctxt->attempt > 1 || strcmp(method, "none") != 0)
|
if (!authctxt->server_caused_failure &&
|
||||||
|
(authctxt->attempt > 1 || strcmp(method, "none") != 0))
|
||||||
authctxt->failures++;
|
authctxt->failures++;
|
||||||
if (authctxt->failures >= options.max_authtries) {
|
if (authctxt->failures >= options.max_authtries) {
|
||||||
#ifdef SSH_AUDIT_EVENTS
|
#ifdef SSH_AUDIT_EVENTS
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue