mirror of
git://anongit.mindrot.org/openssh.git
synced 2025-01-03 00:02:05 +00:00
- dtucker@cvs.openbsd.org 2004/05/23 23:59:53
[auth.c auth.h auth1.c auth2.c servconf.c servconf.h sshd_config sshd_config.5] Add MaxAuthTries sshd config option; ok markus@
This commit is contained in:
parent
e534e12127
commit
89413dbafa
@ -21,6 +21,9 @@
|
||||
- jmc@cvs.openbsd.org 2004/05/22 16:01:05
|
||||
[ssh.1]
|
||||
kill whitespace at eol;
|
||||
- dtucker@cvs.openbsd.org 2004/05/23 23:59:53
|
||||
[auth.c auth.h auth1.c auth2.c servconf.c servconf.h sshd_config sshd_config.5]
|
||||
Add MaxAuthTries sshd config option; ok markus@
|
||||
|
||||
20040523
|
||||
- (djm) [sshd_config] Explain consequences of UsePAM=yes a little better in
|
||||
@ -1150,4 +1153,4 @@
|
||||
- (djm) Trim deprecated options from INSTALL. Mention UsePAM
|
||||
- (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
|
||||
|
||||
$Id: ChangeLog,v 1.3364 2004/05/24 00:35:14 dtucker Exp $
|
||||
$Id: ChangeLog,v 1.3365 2004/05/24 00:36:23 dtucker Exp $
|
||||
|
4
auth.c
4
auth.c
@ -23,7 +23,7 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: auth.c,v 1.53 2004/05/11 19:01:43 deraadt Exp $");
|
||||
RCSID("$OpenBSD: auth.c,v 1.54 2004/05/23 23:59:53 dtucker Exp $");
|
||||
|
||||
#ifdef HAVE_LOGIN_H
|
||||
#include <login.h>
|
||||
@ -242,7 +242,7 @@ auth_log(Authctxt *authctxt, int authenticated, char *method, char *info)
|
||||
/* Raise logging level */
|
||||
if (authenticated == 1 ||
|
||||
!authctxt->valid ||
|
||||
authctxt->failures >= AUTH_FAIL_LOG ||
|
||||
authctxt->failures >= options.max_authtries / 2 ||
|
||||
strcmp(method, "password") == 0)
|
||||
authlog = logit;
|
||||
|
||||
|
4
auth.h
4
auth.h
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: auth.h,v 1.49 2004/01/30 09:48:57 markus Exp $ */
|
||||
/* $OpenBSD: auth.h,v 1.50 2004/05/23 23:59:53 dtucker Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||
@ -181,8 +181,6 @@ void auth_debug_reset(void);
|
||||
|
||||
struct passwd *fakepw(void);
|
||||
|
||||
#define AUTH_FAIL_MAX 6
|
||||
#define AUTH_FAIL_LOG (AUTH_FAIL_MAX/2)
|
||||
#define AUTH_FAIL_MSG "Too many authentication failures for %.100s"
|
||||
|
||||
#define SKEY_PROMPT "\nS/Key Password: "
|
||||
|
4
auth1.c
4
auth1.c
@ -10,7 +10,7 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: auth1.c,v 1.56 2004/05/09 01:19:27 djm Exp $");
|
||||
RCSID("$OpenBSD: auth1.c,v 1.57 2004/05/23 23:59:53 dtucker Exp $");
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include "rsa.h"
|
||||
@ -261,7 +261,7 @@ do_authloop(Authctxt *authctxt)
|
||||
if (authenticated)
|
||||
return;
|
||||
|
||||
if (authctxt->failures++ > AUTH_FAIL_MAX)
|
||||
if (authctxt->failures++ > options.max_authtries)
|
||||
packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
|
||||
|
||||
packet_start(SSH_SMSG_FAILURE);
|
||||
|
4
auth2.c
4
auth2.c
@ -23,7 +23,7 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: auth2.c,v 1.104 2003/11/04 08:54:09 djm Exp $");
|
||||
RCSID("$OpenBSD: auth2.c,v 1.105 2004/05/23 23:59:53 dtucker Exp $");
|
||||
|
||||
#include "ssh2.h"
|
||||
#include "xmalloc.h"
|
||||
@ -243,7 +243,7 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
|
||||
/* now we can break out */
|
||||
authctxt->success = 1;
|
||||
} else {
|
||||
if (authctxt->failures++ > AUTH_FAIL_MAX)
|
||||
if (authctxt->failures++ > options.max_authtries)
|
||||
packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
|
||||
methods = authmethods_get();
|
||||
packet_start(SSH2_MSG_USERAUTH_FAILURE);
|
||||
|
13
servconf.c
13
servconf.c
@ -10,7 +10,7 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: servconf.c,v 1.132 2004/05/08 00:01:37 deraadt Exp $");
|
||||
RCSID("$OpenBSD: servconf.c,v 1.133 2004/05/23 23:59:53 dtucker Exp $");
|
||||
|
||||
#include "ssh.h"
|
||||
#include "log.h"
|
||||
@ -94,6 +94,7 @@ initialize_server_options(ServerOptions *options)
|
||||
options->max_startups_begin = -1;
|
||||
options->max_startups_rate = -1;
|
||||
options->max_startups = -1;
|
||||
options->max_authtries = -1;
|
||||
options->banner = NULL;
|
||||
options->use_dns = -1;
|
||||
options->client_alive_interval = -1;
|
||||
@ -212,6 +213,8 @@ fill_default_server_options(ServerOptions *options)
|
||||
options->max_startups_rate = 100; /* 100% */
|
||||
if (options->max_startups_begin == -1)
|
||||
options->max_startups_begin = options->max_startups;
|
||||
if (options->max_authtries == -1)
|
||||
options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
|
||||
if (options->use_dns == -1)
|
||||
options->use_dns = 1;
|
||||
if (options->client_alive_interval == -1)
|
||||
@ -262,7 +265,8 @@ typedef enum {
|
||||
sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
|
||||
sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
|
||||
sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
|
||||
sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
|
||||
sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
|
||||
sMaxStartups, sMaxAuthTries,
|
||||
sBanner, sUseDNS, sHostbasedAuthentication,
|
||||
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
|
||||
sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
|
||||
@ -357,6 +361,7 @@ static struct {
|
||||
{ "gatewayports", sGatewayPorts },
|
||||
{ "subsystem", sSubsystem },
|
||||
{ "maxstartups", sMaxStartups },
|
||||
{ "maxauthtries", sMaxAuthTries },
|
||||
{ "banner", sBanner },
|
||||
{ "usedns", sUseDNS },
|
||||
{ "verifyreversemapping", sDeprecated },
|
||||
@ -869,6 +874,10 @@ parse_flag:
|
||||
options->max_startups = options->max_startups_begin;
|
||||
break;
|
||||
|
||||
case sMaxAuthTries:
|
||||
intptr = &options->max_authtries;
|
||||
goto parse_int;
|
||||
|
||||
case sBanner:
|
||||
charptr = &options->banner;
|
||||
goto parse_filename;
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: servconf.h,v 1.68 2004/04/27 09:46:37 djm Exp $ */
|
||||
/* $OpenBSD: servconf.h,v 1.69 2004/05/23 23:59:53 dtucker Exp $ */
|
||||
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
@ -33,6 +33,7 @@
|
||||
#define PERMIT_NO_PASSWD 2
|
||||
#define PERMIT_YES 3
|
||||
|
||||
#define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */
|
||||
|
||||
typedef struct {
|
||||
u_int num_ports;
|
||||
@ -114,6 +115,7 @@ typedef struct {
|
||||
int max_startups_begin;
|
||||
int max_startups_rate;
|
||||
int max_startups;
|
||||
int max_authtries;
|
||||
char *banner; /* SSH-2 banner message */
|
||||
int use_dns;
|
||||
int client_alive_interval; /*
|
||||
|
@ -1,4 +1,4 @@
|
||||
# $OpenBSD: sshd_config,v 1.68 2003/12/29 16:39:50 millert Exp $
|
||||
# $OpenBSD: sshd_config,v 1.69 2004/05/23 23:59:53 dtucker Exp $
|
||||
|
||||
# This is the sshd server system-wide configuration file. See
|
||||
# sshd_config(5) for more information.
|
||||
@ -35,6 +35,7 @@
|
||||
#LoginGraceTime 2m
|
||||
#PermitRootLogin yes
|
||||
#StrictModes yes
|
||||
#MaxAuthTries 6
|
||||
|
||||
#RSAAuthentication yes
|
||||
#PubkeyAuthentication yes
|
||||
|
@ -34,7 +34,7 @@
|
||||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $OpenBSD: sshd_config.5,v 1.32 2004/04/28 07:02:56 jmc Exp $
|
||||
.\" $OpenBSD: sshd_config.5,v 1.33 2004/05/23 23:59:53 dtucker Exp $
|
||||
.Dd September 25, 1999
|
||||
.Dt SSHD_CONFIG 5
|
||||
.Os
|
||||
@ -402,6 +402,10 @@ for data integrity protection.
|
||||
Multiple algorithms must be comma-separated.
|
||||
The default is
|
||||
.Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 .
|
||||
.It Cm MaxAuthTries
|
||||
Specifies the maximum number of authentication attempts permitted per
|
||||
connection. Once the number of failures reaches half this value, additional
|
||||
failures are logged. The default is 6.
|
||||
.It Cm MaxStartups
|
||||
Specifies the maximum number of concurrent unauthenticated connections to the
|
||||
.Nm sshd
|
||||
|
Loading…
Reference in New Issue
Block a user