svn commit: r314072 - stable/11/crypto/openssh
Kurt Lidl
lidl at FreeBSD.org
Wed Feb 22 04:15:40 UTC 2017
Author: lidl
Date: Wed Feb 22 04:15:39 2017
New Revision: 314072
URL: https://svnweb.freebsd.org/changeset/base/314072
Log:
MFC r313965:
Only notify blacklistd for successful logins in auth.c
Before this change, every pass through auth.c resulted in a
call to blacklist_notify().
In a normal remote login, there would be a failed login flagged for
the printing of the "xxx login:" prompt, before the remote user
could enter a password.
If the user successfully entered a good password, then a good login
would be flagged, and everything would be OK.
If the user entered an incorrect password, there would be another
failed login flagged in auth1.c (or auth2.c) for the actual bad
password attempt. Finally, when sshd got around to issuing the
second "xxx login:" prompt, there would be yet another failed login
notice sent to blacklistd.
So, if there was a 3 bad logins limit set (the default), the system
would actually block the address after the first bad password attempt.
Reported by: Rick Adams
Reviewed by: des
Sponsored by: The FreeBSD Foundation
Modified:
stable/11/crypto/openssh/auth.c
Directory Properties:
stable/11/ (props changed)
Modified: stable/11/crypto/openssh/auth.c
==============================================================================
--- stable/11/crypto/openssh/auth.c Wed Feb 22 03:49:46 2017 (r314071)
+++ stable/11/crypto/openssh/auth.c Wed Feb 22 04:15:39 2017 (r314072)
@@ -295,8 +295,8 @@ auth_log(Authctxt *authctxt, int authent
authmsg = "Partial";
else {
authmsg = authenticated ? "Accepted" : "Failed";
- BLACKLIST_NOTIFY(authenticated ?
- BLACKLIST_AUTH_OK : BLACKLIST_AUTH_FAIL);
+ if (authenticated)
+ BLACKLIST_NOTIFY(BLACKLIST_AUTH_OK);
}
authlog("%s %s%s%s for %s%.100s from %.200s port %d %s%s%s",
More information about the svn-src-stable
mailing list