[Bug 1432] New: MaxAuthTries is not used correctly

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Sun Jan 27 03:35:10 EST 2008 

https://bugzilla.mindrot.org/show_bug.cgi?id=1432

           Summary: MaxAuthTries is not used correctly
    Classification: Unclassified
           Product: Portable OpenSSH
           Version: 4.7p1
          Platform: All
        OS/Version: Solaris
            Status: NEW
          Severity: normal
          Priority: P3
         Component: sshd
        AssignedTo: bitbucket at mindrot.org
        ReportedBy: Jan.Pechanec at Sun.COM


Created an attachment (id=1447)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=1447)
fix for the bug reported

sshd permits 2 more auth failures then it should have according to
MaxAuthTries. See example:

sshd -o MaxAuthTries=4 ....

and the output shows that there were 5 failures + the last one not
logged using "attempt X failures Y" message which makes it 6 in total:

debug1: attempt 0 failures 0
debug2: input_userauth_request: setting up authctxt for janp
debug2: input_userauth_request: try method none
Failed none for janp from 127.0.0.1 port 52777 ssh2
debug1: attempt 1 failures 1
debug2: input_userauth_request: try method publickey
debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa
Failed publickey for janp from 127.0.0.1 port 52777 ssh2
debug1: attempt 2 failures 2
debug2: input_userauth_request: try method publickey
debug2: userauth_pubkey: authenticated 0 pkalg ssh-dss
Failed publickey for janp from 127.0.0.1 port 52777 ssh2
debug1: attempt 3 failures 3
debug2: input_userauth_request: try method keyboard-interactive
Failed keyboard-interactive for janp from 127.0.0.1 port 52777 ssh2
debug1: attempt 4 failures 4
debug2: input_userauth_request: try method password
Failed password for janp from 127.0.0.1 port 52777 ssh2
debug1: attempt 5 failures 5
debug2: input_userauth_request: try method password
Failed password for janp from 127.0.0.1 port 52777 ssh2

the problem is this piece of code:

       if (authctxt->failures++ > options.max_auth_tries) {

(1) failures should be incremented before the test and (2) there should
be '='  (or >= to be sure), not just '>'. After the simple fix it works
as expected.

while not a big deal I suggest to fix it since from my experience
people are quite often confused by that. Patch attached.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list