openssh bugs - Sep 2014 - [Bug 2270] New: AuthenticationMethods - partial success is considered as failure

https://bugzilla.mindrot.org/show_bug.cgi?id=2270

            Bug ID: 2270
           Summary: AuthenticationMethods - partial success is considered
                    as failure
           Product: Portable OpenSSH
           Version: 6.6p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: plautrba at redhat.com

Created attachment 2468
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2468&action=edit
don't increment failures in case of partial success

sshd logs auth failure even if there was no failed attempt in
authenticationthat when using AuthenticationMethods, see logs:

debug3: userauth_finish: failure partial=0 next methods="password"
[preauth]
debug1: userauth-request for user plautrba service ssh-connection
method password [preauth]
debug1: attempt 1 failures 0 [preauth]
...
debug3: userauth_finish: failure partial=1 next methods="publickey"
[preauth]
debug1: userauth-request for user plautrba service ssh-connection
method publickey [preauth]
debug1: attempt 2 failures 1 [preauth]


The problem is in the auth2.c code which doesn't take into account
partial success and increments authctxt->failures as authenticated is
set to 0.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2270

Petr Lautrbach <plautrba at redhat.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #1 from Petr Lautrbach <plautrba at redhat.com> ---
I believe this is fixed in the latest tree. Thanks.

commit 058f839fe15c51be8b3a844a76ab9a8db550be4f
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Thu Dec 18 23:58:04 2014 +0000

    upstream commit

    don't count partial authentication success as a failure
     against MaxAuthTries; ok deraadt@

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2270

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org
             Blocks|                            |2266

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2270

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
openssh-6.8 is released

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.