- (dtucker) Wrap use of IPPROTO_IPV6 in an ifdef for platforms that don't

[openssh.git] / auth1.c

diff --git a/auth1.c b/auth1.c
index dc00a72d85f78c6a6ce841e6ef98d292792757f4..1801661fdda8b72236de420f22eb8cd957a4314a 100644 (file)
--- a/auth1.c
+++ b/auth1.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: auth1.c,v 1.73 2008/07/04 23:30:16 djm Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -11,6 +12,15 @@
 
 #include "includes.h"
 
+#include <sys/types.h>
+
+#include <stdarg.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+#include <pwd.h>
+
+#include "openbsd-compat/sys-queue.h"
 #include "xmalloc.h"
 #include "rsa.h"
 #include "ssh1.h"
@@ -19,10 +29,15 @@
 #include "log.h"
 #include "servconf.h"
 #include "compat.h"
+#include "key.h"
+#include "hostfile.h"
 #include "auth.h"
 #include "channels.h"
 #include "session.h"
 #include "uidswap.h"
+#ifdef GSSAPI
+#include "ssh-gss.h"
+#endif
 #include "monitor_wrap.h"
 #include "buffer.h"
 
@@ -95,6 +110,7 @@ get_authname(int type)
        return (buf);
 }
 
+/*ARGSUSED*/
 static int
 auth1_process_password(Authctxt *authctxt, char *info, size_t infolen)
 {
@@ -119,6 +135,7 @@ auth1_process_password(Authctxt *authctxt, char *info, size_t infolen)
        return (authenticated);
 }
 
+/*ARGSUSED*/
 static int
 auth1_process_rsa(Authctxt *authctxt, char *info, size_t infolen)
 {
@@ -136,6 +153,7 @@ auth1_process_rsa(Authctxt *authctxt, char *info, size_t infolen)
        return (authenticated);
 }
 
+/*ARGSUSED*/
 static int
 auth1_process_rhosts_rsa(Authctxt *authctxt, char *info, size_t infolen)
 {
@@ -174,6 +192,7 @@ auth1_process_rhosts_rsa(Authctxt *authctxt, char *info, size_t infolen)
        return (authenticated);
 }
 
+/*ARGSUSED*/
 static int
 auth1_process_tis_challenge(Authctxt *authctxt, char *info, size_t infolen)
 {
@@ -192,6 +211,7 @@ auth1_process_tis_challenge(Authctxt *authctxt, char *info, size_t infolen)
        return (-1);
 }
 
+/*ARGSUSED*/
 static int
 auth1_process_tis_response(Authctxt *authctxt, char *info, size_t infolen)
 {
@@ -264,6 +284,8 @@ do_authloop(Authctxt *authctxt)
                    type != SSH_CMSG_AUTH_TIS_RESPONSE)
                        abandon_challenge_response(authctxt);
 
+               if (authctxt->failures >= options.max_authtries)
+                       goto skip;
                if ((meth = lookup_authmethod1(type)) == NULL) {
                        logit("Unknown message during authentication: "
                            "type %d", type);
@@ -296,15 +318,7 @@ do_authloop(Authctxt *authctxt)
                }
 #endif /* _UNICOS */
 
-#ifdef HAVE_CYGWIN
-               if (authenticated &&
-                   !check_nt_auth(type == SSH_CMSG_AUTH_PASSWORD,
-                   authctxt->pw)) {
-                       packet_disconnect("Authentication rejected for uid %d.",
-                           authctxt->pw == NULL ? -1 : authctxt->pw->pw_uid);
-                       authenticated = 0;
-               }
-#else
+#ifndef HAVE_CYGWIN
                /* Special handling for root */
                if (authenticated && authctxt->pw->pw_uid == 0 &&
                    !auth_root_allowed(meth->name)) {
@@ -332,7 +346,7 @@ do_authloop(Authctxt *authctxt)
                                        msg[len] = '\0';
                        else
                                msg = "Access denied.";
-                       packet_disconnect(msg);
+                       packet_disconnect("%s", msg);
                }
 #endif
 
@@ -348,7 +362,7 @@ do_authloop(Authctxt *authctxt)
                if (authenticated)
                        return;
 
-               if (authctxt->failures++ > options.max_authtries) {
+               if (++authctxt->failures >= options.max_authtries) {
 #ifdef SSH_AUDIT_EVENTS
                        PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES));
 #endif