dist

Rin Okuyama Tue, 08 Oct 2024 18:49:35 -0700

Module Name:    src
Committed By:   rin
Date:           Wed Oct  9 01:49:20 UTC 2024


Modified Files:
        src/crypto/external/bsd/openssh/dist: auth.c auth2.c

Log Message:
sshd: Finally fix spurious blocklistd activation (PR bin/58369)

Drop one more pfilter_notify() call from userauth_finish(),
for single failure in authentication attempt.

This happens for users with multiple public keys; e.g., both
rsa and ed25519 keys are registered into ssh-agent(1), while
only the latter is in remote authorized_keys.

Instead, it is called from auth_maxtries_exceeded(), when
authentication process is actually failed. This function is
called also from input_userauth_request(). But I guess this
cannot happen frequently; this path is taken with >= 1024
failed attempts, although MaxAuthTries is 6 by default...


To generate a diff of this commit:
cvs rdiff -u -r1.36 -r1.37 src/crypto/external/bsd/openssh/dist/auth.c
cvs rdiff -u -r1.31 -r1.32 src/crypto/external/bsd/openssh/dist/auth2.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/external/bsd/openssh/dist/auth.c
diff -u src/crypto/external/bsd/openssh/dist/auth.c:1.36 src/crypto/external/bsd/openssh/dist/auth.c:1.37
--- src/crypto/external/bsd/openssh/dist/auth.c:1.36	Tue Sep 24 21:32:18 2024
+++ src/crypto/external/bsd/openssh/dist/auth.c	Wed Oct  9 01:49:20 2024
@@ -1,4 +1,4 @@
-/*	$NetBSD: auth.c,v 1.36 2024/09/24 21:32:18 christos Exp $	*/
+/*	$NetBSD: auth.c,v 1.37 2024/10/09 01:49:20 rin Exp $	*/
 /* $OpenBSD: auth.c,v 1.162 2024/09/15 01:18:26 djm Exp $ */
 
 /*
@@ -26,7 +26,7 @@
  */
 
 #include "includes.h"
-__RCSID("$NetBSD: auth.c,v 1.36 2024/09/24 21:32:18 christos Exp $");
+__RCSID("$NetBSD: auth.c,v 1.37 2024/10/09 01:49:20 rin Exp $");
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <sys/socket.h>
@@ -415,6 +415,7 @@ auth_maxtries_exceeded(struct ssh *ssh)
 {
 	Authctxt *authctxt = (Authctxt *)ssh->authctxt;
 
+	pfilter_notify(1);
 	error("maximum authentication attempts exceeded for "
 	    "%s%.100s from %.200s port %d ssh2",
 	    authctxt->valid ? "" : "invalid user ",

Index: src/crypto/external/bsd/openssh/dist/auth2.c
diff -u src/crypto/external/bsd/openssh/dist/auth2.c:1.31 src/crypto/external/bsd/openssh/dist/auth2.c:1.32
--- src/crypto/external/bsd/openssh/dist/auth2.c:1.31	Mon Jul  8 22:33:43 2024
+++ src/crypto/external/bsd/openssh/dist/auth2.c	Wed Oct  9 01:49:20 2024
@@ -1,4 +1,4 @@
-/*	$NetBSD: auth2.c,v 1.31 2024/07/08 22:33:43 christos Exp $	*/
+/*	$NetBSD: auth2.c,v 1.32 2024/10/09 01:49:20 rin Exp $	*/
 /* $OpenBSD: auth2.c,v 1.169 2024/05/17 00:30:23 djm Exp $ */
 
 /*
@@ -26,7 +26,7 @@
  */
 
 #include "includes.h"
-__RCSID("$NetBSD: auth2.c,v 1.31 2024/07/08 22:33:43 christos Exp $");
+__RCSID("$NetBSD: auth2.c,v 1.32 2024/10/09 01:49:20 rin Exp $");
 
 #include <sys/types.h>
 #include <sys/stat.h>
@@ -460,10 +460,8 @@ userauth_finish(struct ssh *ssh, int aut
 	} else {
 		/* Allow initial try of "none" auth without failure penalty */
 		if (!partial && !authctxt->server_caused_failure &&
-		    (authctxt->attempt > 1 || strcmp(method, "none") != 0)) {
+		    (authctxt->attempt > 1 || strcmp(method, "none") != 0))
 			authctxt->failures++;
-			pfilter_notify(1);
-		}
 		if (authctxt->failures >= options.max_authtries)
 			auth_maxtries_exceeded(ssh);
 		methods = authmethods_get(authctxt);

CVS commit: src/crypto/external/bsd/openssh/dist

Reply via email to