commit 4dccfa5fb73853e6c9281beac2c42a31391acdc7
author Ben Lindstrom <mouring@eviladmin.org> Thu Dec 28 16:40:05 2000 +0000
committer Ben Lindstrom <mouring@eviladmin.org> Thu Dec 28 16:40:05 2000 +0000
tree 2a64c6b1e096010f2b5fd45a08f9878cac5d400e
parent 42717bf8fff94146edf43ea266113f1a54456c62

 - (bal) OpenBSD CVS Update
   - markus@cvs.openbsd.org 2000/12/28 14:25:51
     [auth.h auth2.c]
     count authentication failures only
   - markus@cvs.openbsd.org 2000/12/28 14:25:03
     [sshconnect.c]
     fingerprint for MITM attacks, too.
   - markus@cvs.openbsd.org 2000/12/28 12:03:57
     [sshd.8 sshd.c]
     document -D
   - markus@cvs.openbsd.org 2000/12/27 14:19:21
     [serverloop.c]
     less chatty
   - markus@cvs.openbsd.org 2000/12/27 12:34
     [auth1.c sshconnect2.c sshd.c]
     typo
   - markus@cvs.openbsd.org 2000/12/27 12:30:19
     [readconf.c readconf.h ssh.1 sshconnect.c]
     new option: HostKeyAlias: allow the user to record the host key
     under a different name. This is useful for ssh tunneling over
     forwarded connections or if you run multiple sshd's on different
     ports on the same machine.
   - markus@cvs.openbsd.org 2000/12/27 11:51:53
     [ssh.1 ssh.c]
     multiple -t force pty allocation, document ORIGINAL_COMMAND
   - markus@cvs.openbsd.org 2000/12/27 11:41:31
     [sshd.8]
     update for ssh-2

auth2.c

diff --git a/auth2.c b/auth2.c
index a0e6d57..4880b73 100644
--- a/auth2.c
+++ b/auth2.c
@@ -23,7 +23,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth2.c,v 1.23 2000/12/19 23:17:55 markus Exp $");
+RCSID("$OpenBSD: auth2.c,v 1.24 2000/12/28 14:25:51 markus Exp $");
 
 #ifdef HAVE_OSF_SIA
 # include <sia.h>
@@ -124,6 +124,7 @@
 	memset(authctxt, 'a', sizeof(*authctxt));
 	authctxt->valid = 0;
 	authctxt->attempt = 0;
+	authctxt->failures = 0;
 	authctxt->success = 0;
 	x_authctxt = authctxt;		/*XXX*/
 
@@ -190,21 +191,14 @@
 
 	if (authctxt == NULL)
 		fatal("input_userauth_request: no authctxt");
-	if (authctxt->attempt++ >= AUTH_FAIL_MAX) {
-#ifdef WITH_AIXAUTHENTICATE 
-		loginfailed(authctxt->user?authctxt->user:"NOUSER", 
-			get_canonical_hostname(), "ssh");
-#endif /* WITH_AIXAUTHENTICATE */
-		packet_disconnect("too many failed userauth_requests");
-	}
 
 	user = packet_get_string(NULL);
 	service = packet_get_string(NULL);
 	method = packet_get_string(NULL);
 	debug("userauth-request for user %s service %s method %s", user, service, method);
-	debug("attempt #%d", authctxt->attempt);
+	debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
 
-	if (authctxt->attempt == 1) { 
+	if (authctxt->attempt++ == 0) {
 		/* setup auth context */
 		struct passwd *pw = NULL;
 		setproctitle("%s", user);
@@ -273,7 +267,7 @@
 	/* Raise logging level */
 	if (authenticated == 1 ||
 	    !authctxt->valid ||
-	    authctxt->attempt >= AUTH_FAIL_LOG ||
+	    authctxt->failures >= AUTH_FAIL_LOG ||
 	    strcmp(method, "password") == 0)
 		authlog = log;
 
@@ -302,6 +296,7 @@
 void   
 userauth_reply(Authctxt *authctxt, int authenticated)
 {
+	char *methods;
 	/* XXX todo: check if multiple auth methods are needed */
 	if (authenticated == 1) {
 #ifdef WITH_AIXAUTHENTICATE
@@ -318,7 +313,9 @@
 		/* now we can break out */
 		authctxt->success = 1;
 	} else if (authenticated == 0) {
-		char *methods = authmethods_get();
+		if (authctxt->failures++ >= AUTH_FAIL_MAX)
+			packet_disconnect("too many failed userauth_requests");
+		methods = authmethods_get();
 		packet_start(SSH2_MSG_USERAUTH_FAILURE);
 		packet_put_cstring(methods);
 		packet_put_char(0);	/* XXX partial success, unused */