From 6f621603f9cff2a5d6016a404c96cb2f8ac2dec0 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Wed, 25 Feb 2015 17:29:38 +0000 Subject: [PATCH] upstream commit don't leak validity of user in "too many authentication failures" disconnect message; reported by Sebastian Reitenbach --- auth.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/auth.c b/auth.c index facc962b2..f9b767301 100644 --- a/auth.c +++ b/auth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.c,v 1.109 2015/01/20 23:14:00 deraadt Exp $ */ +/* $OpenBSD: auth.c,v 1.110 2015/02/25 17:29:38 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -331,13 +331,14 @@ auth_log(Authctxt *authctxt, int authenticated, int partial, void auth_maxtries_exceeded(Authctxt *authctxt) { - packet_disconnect("Too many authentication failures for " + error("maximum authentication attempts exceeded for " "%s%.100s from %.200s port %d %s", authctxt->valid ? "" : "invalid user ", authctxt->user, get_remote_ipaddr(), get_remote_port(), compat20 ? "ssh2" : "ssh1"); + packet_disconnect("Too many authentication failures"); /* NOTREACHED */ }