|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Damien Miller (djm
mindrot.org)
Date: Wed Jul 02 2008 - 07:40:27 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
ok dtucker
On Wed, 2 Jul 2008, Damien Miller wrote:
> CVSROOT: /cvs
> Module name: src
> Changes by: djmcvs.openbsd.org 2008/07/02 06:36:39
>
> Modified files:
> usr.bin/ssh : auth2.c auth2-none.c
>
> Log message:
> Make protocol 2 MaxAuthTries behaviour a little more sensible:
>
> Check whether client has exceeded MaxAuthTries before running
> an authentication method and skip it if they have, previously it
> would always allow one try (for "none" auth).
>
> Preincrement failure count before post-auth test - previously this
> checked and postincremented, also to allow one "none" try.
>
> Together, these two changes always count the "none" auth method
> which could be skipped by a malicious client (e.g. an SSH worm)
> to get an extra attempt at a real auth method. They also make
> MaxAuthTries=0 a useful way to block users entirely (esp. in a
> sshd_config Match block).
>
> Also, move sending of any preauth banner from "none" auth method
> to the first call to input_userauth_request(), so worms that skip
> the "none" method get to see it too.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]