[Bug 1432] New: MaxAuthTries is not used correctly
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Sun Jan 27 03:35:10 EST 2008
https://bugzilla.mindrot.org/show_bug.cgi?id=1432
Summary: MaxAuthTries is not used correctly
Classification: Unclassified
Product: Portable OpenSSH
Version: 4.7p1
Platform: All
OS/Version: Solaris
Status: NEW
Severity: normal
Priority: P3
Component: sshd
AssignedTo: bitbucket at mindrot.org
ReportedBy: Jan.Pechanec at Sun.COM
Created an attachment (id=1447)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=1447)
fix for the bug reported
sshd permits 2 more auth failures then it should have according to
MaxAuthTries. See example:
sshd -o MaxAuthTries=4 ....
and the output shows that there were 5 failures + the last one not
logged using "attempt X failures Y" message which makes it 6 in total:
debug1: attempt 0 failures 0
debug2: input_userauth_request: setting up authctxt for janp
debug2: input_userauth_request: try method none
Failed none for janp from 127.0.0.1 port 52777 ssh2
debug1: attempt 1 failures 1
debug2: input_userauth_request: try method publickey
debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa
Failed publickey for janp from 127.0.0.1 port 52777 ssh2
debug1: attempt 2 failures 2
debug2: input_userauth_request: try method publickey
debug2: userauth_pubkey: authenticated 0 pkalg ssh-dss
Failed publickey for janp from 127.0.0.1 port 52777 ssh2
debug1: attempt 3 failures 3
debug2: input_userauth_request: try method keyboard-interactive
Failed keyboard-interactive for janp from 127.0.0.1 port 52777 ssh2
debug1: attempt 4 failures 4
debug2: input_userauth_request: try method password
Failed password for janp from 127.0.0.1 port 52777 ssh2
debug1: attempt 5 failures 5
debug2: input_userauth_request: try method password
Failed password for janp from 127.0.0.1 port 52777 ssh2
the problem is this piece of code:
if (authctxt->failures++ > options.max_auth_tries) {
(1) failures should be incremented before the test and (2) there should
be '=' (or >= to be sure), not just '>'. After the simple fix it works
as expected.
while not a big deal I suggest to fix it since from my experience
people are quite often confused by that. Patch attached.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list