Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / openssh / 3fcdfd55a3a3a16342a4f110f2dc1ba998526e47^! / .
commit3fcdfd55a3a3a16342a4f110f2dc1ba998526e47[log] [tgz]
authorDamien Miller <djm@mindrot.org>Thu May 05 14:04:11 2011 +1000
committerDamien Miller <djm@mindrot.org>Thu May 05 14:04:11 2011 +1000
tree196bccd2c94acf3023ec513cf0ebe6cf40d215b0
parentf22019bdbfb986daf24428a9d37f9fe9bb3ff7ad [diff]
 - OpenBSD CVS Sync
   - djm@cvs.openbsd.org 2011/03/10 02:52:57
     [auth2-gss.c auth2.c]
     allow GSSAPI authentication to detect when a server-side failure causes
     authentication failure and don't count such failures against MaxAuthTries;
     bz#1244 from simon AT sxw.org.uk; ok markus@ before lock

diff --git a/ChangeLog b/ChangeLog
index 25fe591..62f026e 100644
--- a/ChangeLog
+++ b/ChangeLog

@@ -8,6 +8,12 @@
    [regress/README.regress] Remove ssh-rand-helper and all its
    tentacles. PRNGd seeding has been rolled into entropy.c directly.
    Thanks to tim@ for testing on affected platforms.
+ - OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2011/03/10 02:52:57
+     [auth2-gss.c auth2.c]
+     allow GSSAPI authentication to detect when a server-side failure causes
+     authentication failure and don't count such failures against MaxAuthTries;
+     bz#1244 from simon AT sxw.org.uk; ok markus@ before lock
 
 20110221
  - (dtucker) [contrib/cygwin/ssh-host-config] From Corinna: revamp of the

diff --git a/auth2-gss.c b/auth2-gss.c
index 0e08d88..0d59b21 100644
--- a/auth2-gss.c
+++ b/auth2-gss.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-gss.c,v 1.16 2007/10/29 00:52:45 dtucker Exp $ */
+/* $OpenBSD: auth2-gss.c,v 1.17 2011/03/10 02:52:57 djm Exp $ */
 
 /*
  * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -102,6 +102,7 @@
 
 	if (!present) {
 		xfree(doid);
+		authctxt->server_caused_failure = 1;
 		return (0);
 	}
 
@@ -109,6 +110,7 @@
 		if (ctxt != NULL)
 			ssh_gssapi_delete_ctx(&ctxt);
 		xfree(doid);
+		authctxt->server_caused_failure = 1;
 		return (0);
 	}
 

diff --git a/auth2.c b/auth2.c
index 95820f9..c06c95f 100644
--- a/auth2.c
+++ b/auth2.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2.c,v 1.122 2010/08/31 09:58:37 djm Exp $ */
+/* $OpenBSD: auth2.c,v 1.123 2011/03/10 02:52:57 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -274,6 +274,7 @@
 #endif
 
 	authctxt->postponed = 0;
+	authctxt->server_caused_failure = 0;
 
 	/* try to authenticate user */
 	m = authmethod_lookup(method);
@@ -346,7 +347,8 @@
 	} else {
 
 		/* Allow initial try of "none" auth without failure penalty */
-		if (authctxt->attempt > 1 || strcmp(method, "none") != 0)
+		if (!authctxt->server_caused_failure &&
+		    (authctxt->attempt > 1 || strcmp(method, "none") != 0))
 			authctxt->failures++;
 		if (authctxt->failures >= options.max_authtries) {
 #ifdef SSH_AUDIT_EVENTS