- djm@cvs.openbsd.org 2010/01/30 02:54:53

[openssh.git] / auth1.c

diff --git a/auth1.c b/auth1.c
index 4bc2bf76d62d1d5794dabbb9cfe5b9be225ab37b..1801661fdda8b72236de420f22eb8cd957a4314a 100644 (file)
--- a/auth1.c
+++ b/auth1.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: auth1.c,v 1.73 2008/07/04 23:30:16 djm Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -10,8 +11,16 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth1.c,v 1.62 2005/07/16 01:35:24 djm Exp $");
 
+#include <sys/types.h>
+
+#include <stdarg.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+#include <pwd.h>
+
+#include "openbsd-compat/sys-queue.h"
 #include "xmalloc.h"
 #include "rsa.h"
 #include "ssh1.h"
@@ -20,10 +29,15 @@ RCSID("$OpenBSD: auth1.c,v 1.62 2005/07/16 01:35:24 djm Exp $");
 #include "log.h"
 #include "servconf.h"
 #include "compat.h"
+#include "key.h"
+#include "hostfile.h"
 #include "auth.h"
 #include "channels.h"
 #include "session.h"
 #include "uidswap.h"
+#ifdef GSSAPI
+#include "ssh-gss.h"
+#endif
 #include "monitor_wrap.h"
 #include "buffer.h"
 
@@ -77,7 +91,7 @@ static const struct AuthMethod1
 {
        int i;
 
-       for(i = 0; auth1_methods[i].name != NULL; i++)
+       for (i = 0; auth1_methods[i].name != NULL; i++)
                if (auth1_methods[i].type == type)
                        return (&(auth1_methods[i]));
 
@@ -96,6 +110,7 @@ get_authname(int type)
        return (buf);
 }
 
+/*ARGSUSED*/
 static int
 auth1_process_password(Authctxt *authctxt, char *info, size_t infolen)
 {
@@ -120,6 +135,7 @@ auth1_process_password(Authctxt *authctxt, char *info, size_t infolen)
        return (authenticated);
 }
 
+/*ARGSUSED*/
 static int
 auth1_process_rsa(Authctxt *authctxt, char *info, size_t infolen)
 {
@@ -137,6 +153,7 @@ auth1_process_rsa(Authctxt *authctxt, char *info, size_t infolen)
        return (authenticated);
 }
 
+/*ARGSUSED*/
 static int
 auth1_process_rhosts_rsa(Authctxt *authctxt, char *info, size_t infolen)
 {
@@ -175,6 +192,7 @@ auth1_process_rhosts_rsa(Authctxt *authctxt, char *info, size_t infolen)
        return (authenticated);
 }
 
+/*ARGSUSED*/
 static int
 auth1_process_tis_challenge(Authctxt *authctxt, char *info, size_t infolen)
 {
@@ -193,6 +211,7 @@ auth1_process_tis_challenge(Authctxt *authctxt, char *info, size_t infolen)
        return (-1);
 }
 
+/*ARGSUSED*/
 static int
 auth1_process_tis_response(Authctxt *authctxt, char *info, size_t infolen)
 {
@@ -265,6 +284,8 @@ do_authloop(Authctxt *authctxt)
                    type != SSH_CMSG_AUTH_TIS_RESPONSE)
                        abandon_challenge_response(authctxt);
 
+               if (authctxt->failures >= options.max_authtries)
+                       goto skip;
                if ((meth = lookup_authmethod1(type)) == NULL) {
                        logit("Unknown message during authentication: "
                            "type %d", type);
@@ -297,15 +318,7 @@ do_authloop(Authctxt *authctxt)
                }
 #endif /* _UNICOS */
 
-#ifdef HAVE_CYGWIN
-               if (authenticated &&
-                   !check_nt_auth(type == SSH_CMSG_AUTH_PASSWORD,
-                   authctxt->pw)) {
-                       packet_disconnect("Authentication rejected for uid %d.",
-                           authctxt->pw == NULL ? -1 : authctxt->pw->pw_uid);
-                       authenticated = 0;
-               }
-#else
+#ifndef HAVE_CYGWIN
                /* Special handling for root */
                if (authenticated && authctxt->pw->pw_uid == 0 &&
                    !auth_root_allowed(meth->name)) {
@@ -333,7 +346,7 @@ do_authloop(Authctxt *authctxt)
                                        msg[len] = '\0';
                        else
                                msg = "Access denied.";
-                       packet_disconnect(msg);
+                       packet_disconnect("%s", msg);
                }
 #endif
 
@@ -349,7 +362,7 @@ do_authloop(Authctxt *authctxt)
                if (authenticated)
                        return;
 
-               if (authctxt->failures++ > options.max_authtries) {
+               if (++authctxt->failures >= options.max_authtries) {
 #ifdef SSH_AUDIT_EVENTS
                        PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES));
 #endif