OpenSSH 2.9p2 with PAMAuthenticationViaKbdInt
Damien Miller
djm at mindrot.org
Wed Jun 27 15:00:24 EST 2001
On Wed, 27 Jun 2001, Matthew Melvin wrote:
> When using PAM to do password authenticaion the attempt/failure counter
> appears to be getting confused. This is using a rh62 system with the
> openssh-2.9p2-1 rpms...
[snip]
> So for one incorrect password the attempt/failure count goes from...
>
> debug1: attempt 3 failures 3
>
> ... to...
>
> debug1: attempt 5 failures 4
>
> Looking at the source it seems authctxt->attempt++ is being incrimented
> twice, once in auth2.c:input_userauth_request() and again in
> auth2-pam.c:input_userauth_info_response_pam().
>
> Attached is a patch that fixed these symptoms for me. Attempt/failure are
> incimented one at a time, the last password prompt is no longer ignored, and
> the client is only disconnected after 6 (AUTH_FAIL_MAX) failures not after 6
> attempts. I am not completly certain this behaviour matches the original
> intent so YMMV...
I don't think the test is necessary at all, as the checking is done in
userauth_finish anyway. How does this patch go?
Index: auth2-pam.c
===================================================================
RCS file: /var/cvs/openssh/auth2-pam.c,v
retrieving revision 1.10
diff -u -r1.10 auth2-pam.c
--- auth2-pam.c 2001/02/16 02:03:04 1.10
+++ auth2-pam.c 2001/06/27 04:59:59
@@ -137,9 +137,6 @@
if (authctxt == NULL)
fatal("input_userauth_info_response_pam: no authentication context");
- if (authctxt->attempt++ >= AUTH_FAIL_MAX)
- packet_disconnect("too many failed userauth_requests");
-
nresp = packet_get_int(); /* Number of responses. */
debug("got %d responses", nresp);
-d
--
| Damien Miller <djm at mindrot.org> \ ``E-mail attachments are the poor man's
| http://www.mindrot.org / distributed filesystem'' - Dan Geer
More information about the openssh-unix-dev
mailing list