search for: auth_fail_max

This looks like a bug (ssh -v output from user included below). AUTH_FAIL_MAX is reached before all supported authentication methods are tried. One possible solution is to count authentication failures separately for each method tried, and disconnect if one fails more than <configurable> times. Btw: The exit status bug is fixed in the CVS version of OpenSSH, but I...

...next part -------------- diff -ru openssh-2.3.0p1.orig/auth.h openssh-2.3.0p1/auth.h --- openssh-2.3.0p1.orig/auth.h Thu Nov 30 08:59:39 2000 +++ openssh-2.3.0p1/auth.h Thu Nov 30 10:32:54 2000 @@ -45,8 +45,8 @@ int allowed_user(struct passwd * pw); struct passwd * auth_get_user(void); -#define AUTH_FAIL_MAX 6 -#define AUTH_FAIL_LOG (AUTH_FAIL_MAX/2) +#define AUTH_FAIL_MAX 5 +#define AUTH_FAIL_LOG AUTH_FAIL_MAX #define AUTH_FAIL_MSG "Too many authentication failures for %.100s" #endif diff -ru openssh-2.3.0p1.orig/auth2.c openssh-2.3.0p1/auth2.c --- openssh-2.3.0p1.orig/auth2.c Thu Nov 30...

Folks, During testing, we found a couple of issues with openssh3.0.2p1: 1. In userauth_finish() in auth2.c (as well as in do_authloop in auth1.c), the foll. check: if (authctxt->failures++ > AUTH_FAIL_MAX) is never satisfied and thus packet_disconnect() never gets called. I suspect the code just drops out of the dispatch_run function list instead. This should be an == instead of >. While looking at the debug output when deliberately entering wrong passwords, I noticed one try for none, three for...

...== 0) - loginfailed(pw->pw_name,get_canonical_hostname(),"ssh"); + loginfailed(user,get_canonical_hostname(),"ssh"); #endif /* WITH_AIXAUTHENTICATE */ /* Indicate that authentication is needed. */ @@ -408,8 +406,12 @@ client_user = NULL; } - if (attempt > AUTH_FAIL_MAX) + if (attempt > AUTH_FAIL_MAX) { +#ifdef WITH_AIXAUTHENTICATE + loginfailed(pw->pw_name,get_canonical_hostname(),"ssh"); +#endif /* WITH_AIXAUTHENTICATE */ packet_disconnect(AUTH_FAIL_MSG, pw->pw_name); + } /* Send a message indicating that the authentication attem...

...ce, once in auth2.c:input_userauth_request() and again in auth2-pam.c:input_userauth_info_response_pam(). Attached is a patch that fixed these symptoms for me. Attempt/failure are incimented one at a time, the last password prompt is no longer ignored, and the client is only disconnected after 6 (AUTH_FAIL_MAX) failures not after 6 attempts. I am not completly certain this behaviour matches the original intent so YMMV... M. -- WebCentral Pty Ltd Australia's #1 Internet Web Hosting Company Level 1, 96 Lytton Road. Network Operations - Systems Engineer PO Box 4169, East Brisbane...

.../07 03:55:18 @@ -1551,24 +1551,41 @@ get_remote_port(), user); -#ifdef HAVE_LIBPAM - do_pam_account_and_session(pw->pw_name, client_user); +#ifndef HAVE_LIBPAM + if (authenticated) + return; - /* Clean up */ - if (client_user != NULL) - xfree(client_user); + if (attempt > AUTH_FAIL_MAX) + packet_disconnect(AUTH_FAIL_MSG, pw->pw_name); +#else /* HAVE_LIBPAM */ + if (authenticated) { + do_pam_account_and_session(pw->pw_name, client_user); - if (password != NULL) { - memset(password, 0, strlen(password)); - xfree(password); - } -#endif /* HAVE_LIBPAM */ + /* Cle...

--- auth1.c.orig Sat Feb 3 18:17:53 2001 Bringa AIX modes in line with latest changes to auth1.c +++ auth1.c Sat Feb 3 18:19:15 2001 @@ -347,7 +347,7 @@ if (authctxt->failures++ > AUTH_FAIL_MAX) { #ifdef WITH_AIXAUTHENTICATE - loginfailed(user,get_canonical_hostname(),"ssh"); + loginfailed(authctxt->user,get_canonical_hostname(),"ssh"); #endif /* WITH_AIXAUTHENTICATE */ packet_disconnect(AUTH_FAIL_MSG, authctxt-&gt...

I looked around for a while, but couldn't find any code for requiring multiple authentication mechanisms in openssh. So I wrote an implemention. I thought at first I should change the PasswordAuthentication, PubkeyAuthentication, etc. keywords to allow no/yes/required. But there's some funky stuff in auth2.c with respect to keyboard interactive auth that would make this kind of

...@@ -1414,8 +1414,10 @@ return; } - if (client_user != NULL) + if (client_user != NULL) { xfree(client_user); + client_user = NULL; + } if (attempt > AUTH_FAIL_MAX) packet_disconnect(AUTH_FAIL_MSG, pw->pw_name); This should close this bug and #54894 (which I don't believe would have posed security problems), and with a bit of luck might yield more clues to #51306 as well. HTH, -- Colin Watson...

...sshd to crash under linux; a similar fix is probably needed for the pam code, btw) --- sshd.c~ Tue Jan 25 16:07:22 2000 +++ sshd.c Sun Mar 5 22:14:40 2000 @@ -1525,7 +1525,10 @@ } if (client_user != NULL) + { xfree(client_user); + client_user = NULL; + } if (attempt > AUTH_FAIL_MAX) packet_disconnect(AUTH_FAIL_MSG, pw->pw_name);

...: Received disconnect: You are not allowed to login at this time. lost connection - Increments the failed login count with each failed authentication attempt (to match AIX login's behaviour). Previous behaviour was to increment once after AUTH_FAIL_MAX attempts. Our policy is 5 strikes -- the previous behaviour gave 25. I have tested these with the OpenSSH client and SecureCRT v3.1. They don't attempt to extend the SSH protocols -- they work within established sessions. (See attached file: aix_changes.patch) Best wishes, ---...

http://bugzilla.mindrot.org/show_bug.cgi?id=145 ------- Additional Comments From dtucker at zip.com.au 2002-06-21 23:43 ------- Created an attachment (id=116) Merge all previous patches and diff against -cvs ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=561 Summary: Please implement MaxAuthTries Product: Portable OpenSSH Version: -current Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: wmertens at

Could everyone please test the latest snapshots as we will be making a new release soon. If you have any patches you would like us to consider, please resend them to the list ASAP. -d -- | Damien Miller <djm at mindrot.org> \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer

...======================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth2.c,v retrieving revision 1.112 diff -u -r1.112 auth2.c --- auth2.c 24 Feb 2003 00:59:27 -0000 1.112 +++ auth2.c 25 Feb 2003 09:45:10 -0000 @@ -241,10 +241,6 @@ if (authctxt->failures++ > AUTH_FAIL_MAX) { packet_disconnect(AUTH_FAIL_MSG, authctxt->user); } -#ifdef _UNICOS - if (strcmp(method, "password") == 0) - cray_login_failure(authctxt->user, IA_UDBERR); -#endif /* _UNICOS */ methods = authmethods_get(); packet_start(SSH2_MSG_USERAUTH_FAILURE); packet_put_cs...

...ptions.permit_empty_passwd && /* none !allowed */ >+ !authenticated)) /* failed auth */ >+ auth_log(authctxt, authenticated, method, " ssh2"); I don't see why this in needed. Until you get to options.max_authtries/2 failures (which used to be hard-coded to AUTH_FAIL_MAX/2 = 3) it will only get logged at "verbose" level anyway. >+ if (!options.password_authentication || !options.permit_empty_passwd) >+ return(0); Handled in auth-passwd.c (see above). >- retval = (do_pam_authenticate(0) == PAM_SUCCESS); >+ retval = (do_pam_authenticate(opti...

...======================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth2.c,v retrieving revision 1.112 diff -u -r1.112 auth2.c --- auth2.c 24 Feb 2003 00:59:27 -0000 1.112 +++ auth2.c 25 Feb 2003 09:45:10 -0000 @@ -241,10 +241,6 @@ if (authctxt->failures++ > AUTH_FAIL_MAX) { packet_disconnect(AUTH_FAIL_MSG, authctxt->user); } -#ifdef _UNICOS - if (strcmp(method, "password") == 0) - cray_login_failure(authctxt->user, IA_UDBERR); -#endif /* _UNICOS */ methods = authmethods_get(); packet_start(SSH2_MSG_USERAUTH_FAILURE); packet_put_cs...

Hi, I would like to report a bug in OpenSSH-1.2.2 (release) under Linux. Under certain conditions the sshd client process segfaults while doing the password authentification. I have observed the behaviour with glibc 2.0.7 (non-PAM), glibc 2.1.1 (PAM) and glibc 2.1.2 (PAM), when 'RhostsRSAAuthentication yes' is chosen in sshd_config. It appears to happen regardless whether PAM is used or

...======================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth2.c,v retrieving revision 1.111 diff -u -r1.111 auth2.c --- auth2.c 26 Sep 2002 00:38:49 -0000 1.111 +++ auth2.c 27 Jan 2003 11:38:03 -0000 @@ -242,10 +242,6 @@ if (authctxt->failures++ > AUTH_FAIL_MAX) { packet_disconnect(AUTH_FAIL_MSG, authctxt->user); } -#ifdef _UNICOS - if (strcmp(method, "password") == 0) - cray_login_failure(authctxt->user, IA_UDBERR); -#endif /* _UNICOS */ methods = authmethods_get(); packet_start(SSH2_MSG_USERAUTH_FAILURE); packet_put_cs...

Using openssh-SNAP-20001016 all of our problems with hanging connections have gone away (woohoo!), and it seems to be working flawlessly, but I am seeing messages like this in syslog: Oct 24 16:57:48 dhumb301 sshd[17752]: error: channel 0: internal error: we do not read, but chan_read_failed for istate 8 Oct 24 16:57:59 dhumb301 sshd[17771]: error: select: Bad file descriptor Oct 24 16:58:30