bugzilla-daemon at bugzilla.mindrot.org
2008-Jan-26 16:35 UTC
[Bug 1432] New: MaxAuthTries is not used correctly
https://bugzilla.mindrot.org/show_bug.cgi?id=1432
Summary: MaxAuthTries is not used correctly
Classification: Unclassified
Product: Portable OpenSSH
Version: 4.7p1
Platform: All
OS/Version: Solaris
Status: NEW
Severity: normal
Priority: P3
Component: sshd
AssignedTo: bitbucket at mindrot.org
ReportedBy: Jan.Pechanec at Sun.COM
Created an attachment (id=1447)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=1447)
fix for the bug reported
sshd permits 2 more auth failures then it should have according to
MaxAuthTries. See example:
sshd -o MaxAuthTries=4 ....
and the output shows that there were 5 failures + the last one not
logged using "attempt X failures Y" message which makes it 6 in total:
debug1: attempt 0 failures 0
debug2: input_userauth_request: setting up authctxt for janp
debug2: input_userauth_request: try method none
Failed none for janp from 127.0.0.1 port 52777 ssh2
debug1: attempt 1 failures 1
debug2: input_userauth_request: try method publickey
debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa
Failed publickey for janp from 127.0.0.1 port 52777 ssh2
debug1: attempt 2 failures 2
debug2: input_userauth_request: try method publickey
debug2: userauth_pubkey: authenticated 0 pkalg ssh-dss
Failed publickey for janp from 127.0.0.1 port 52777 ssh2
debug1: attempt 3 failures 3
debug2: input_userauth_request: try method keyboard-interactive
Failed keyboard-interactive for janp from 127.0.0.1 port 52777 ssh2
debug1: attempt 4 failures 4
debug2: input_userauth_request: try method password
Failed password for janp from 127.0.0.1 port 52777 ssh2
debug1: attempt 5 failures 5
debug2: input_userauth_request: try method password
Failed password for janp from 127.0.0.1 port 52777 ssh2
the problem is this piece of code:
if (authctxt->failures++ > options.max_auth_tries) {
(1) failures should be incremented before the test and (2) there should
be '=' (or >= to be sure), not just '>'. After the simple
fix it works
as expected.
while not a big deal I suggest to fix it since from my experience
people are quite often confused by that. Patch attached.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2008-Jan-28 10:25 UTC
[Bug 1432] MaxAuthTries is not used correctly
https://bugzilla.mindrot.org/show_bug.cgi?id=1432
Darren Tucker <dtucker at zip.com.au> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |dtucker at zip.com.au
Blocks| |1353
--- Comment #1 from Darren Tucker <dtucker at zip.com.au> 2008-01-28
21:25:15 ---
If we change this, perhaps we should also increase the default (and
documentation thereof) so that the default behaviour does not change?
Otherwise this change might result in a number of existing
configurations that currently work showing auth failures after an
upgrade?
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2008-Jan-28 13:45 UTC
[Bug 1432] MaxAuthTries is not used correctly
https://bugzilla.mindrot.org/show_bug.cgi?id=1432 --- Comment #2 from Jan Pechanec <Jan.Pechanec at Sun.COM> 2008-01-29 00:45:52 --- makes sense. I can see that DEFAULT_AUTH_FAIL_MAX is 6. None, 2 hostbased and 2 pubkey auth tries makes 5 of them. While this won't break many automated systems (I don't think that many configurations have more than 2 public keys, for example) it would leave just one try for password/kbd-interactive auth. to increase DEFAULT_AUTH_FAIL_MAX to 8 sounds very logical. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2008-Mar-31 04:09 UTC
[Bug 1432] MaxAuthTries is not used correctly
https://bugzilla.mindrot.org/show_bug.cgi?id=1432
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks|1353 |
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2008-Mar-31 04:11 UTC
[Bug 1432] MaxAuthTries is not used correctly
https://bugzilla.mindrot.org/show_bug.cgi?id=1432
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |1452
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2008-Jun-13 03:30 UTC
[Bug 1432] MaxAuthTries is not used correctly
https://bugzilla.mindrot.org/show_bug.cgi?id=1432
--- Comment #3 from Darren Tucker <dtucker at zip.com.au> 2008-06-13
13:30:26 ---
I was looking to apply this, but I reread it and while I agree it's off
by one I can't see two. The man page says:
MaxAuthTries
Specifies the maximum number of authentication attempts permitted
per connection. Once the number of failures reaches half this
value, additional failures are logged. The default is 6.
so in the example you gave attempt #4 is the maximum, and #5 is above
the maximum.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2008-Jun-29 20:12 UTC
[Bug 1432] MaxAuthTries is not used correctly
https://bugzilla.mindrot.org/show_bug.cgi?id=1432
Jan Pechanec <Jan.Pechanec at Sun.COM> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |Jan.Pechanec at Sun.COM
--- Comment #4 from Jan Pechanec <Jan.Pechanec at Sun.COM> 2008-06-30
06:12:12 ---
the 1st attempt is #0, not #1.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2008-Jul-04 23:34 UTC
[Bug 1432] MaxAuthTries is not used correctly
https://bugzilla.mindrot.org/show_bug.cgi?id=1432
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |FIXED
CC| |djm at mindrot.org
--- Comment #5 from Damien Miller <djm at mindrot.org> 2008-07-05
09:34:13 ---
a fix for this has been committed:
Both protocol 1 and 2 now check that failures < max_auth_tries before
running the auth method (allowing MaxAuthTries=0 to work). Failure is
now pre-incremented and the test is "<=", not "<".
Finally, protocol 2 allows an initial authentication attempt with the
"none" method without penalty if MaxAuthTries>0 because of its
slightly-special nature in the protocol.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2008-Jul-22 02:20 UTC
[Bug 1432] MaxAuthTries is not used correctly
https://bugzilla.mindrot.org/show_bug.cgi?id=1432
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |CLOSED
--- Comment #6 from Damien Miller <djm at mindrot.org> 2008-07-22
12:20:38 ---
Mass update RESOLVED->CLOSED after release of openssh-5.1
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.