From 71709bcd68b9d917606f6c3ac16684120939e592 Mon Sep 17 00:00:00 2001
From: djm <djm>
Date: Fri, 4 Jul 2008 23:44:53 +0000
Subject: [PATCH]    - djm@cvs.openbsd.org 2008/07/04 23:30:16      [auth1.c
 auth2.c]      Make protocol 1 MaxAuthTries logic match protocol 2's.      Do
 not treat the first protocol 2 authentication attempt as      a failure IFF
 it is for method "none".      Makes MaxAuthTries' user-visible behaviour
 identical for      protocol 1 vs 2.      ok dtucker@

---
 ChangeLog | 8 ++++++++
 auth1.c   | 6 ++++--
 auth2.c   | 9 +++++++--
 3 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 4af616da..8329de81 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -9,6 +9,14 @@
    - djm@cvs.openbsd.org 2008/07/04 23:08:25
      [packet.c]
      handle EINTR in packet_write_poll()l ok dtucker@
+   - djm@cvs.openbsd.org 2008/07/04 23:30:16
+     [auth1.c auth2.c]
+     Make protocol 1 MaxAuthTries logic match protocol 2's.
+     Do not treat the first protocol 2 authentication attempt as
+     a failure IFF it is for method "none".
+     Makes MaxAuthTries' user-visible behaviour identical for
+     protocol 1 vs 2.
+     ok dtucker@
 
 20080704
  - (dtucker) OpenBSD CVS Sync
diff --git a/auth1.c b/auth1.c
index b5798f63..834ef045 100644
--- a/auth1.c
+++ b/auth1.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth1.c,v 1.72 2008/05/08 12:02:23 djm Exp $ */
+/* $OpenBSD: auth1.c,v 1.73 2008/07/04 23:30:16 djm Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -284,6 +284,8 @@ do_authloop(Authctxt *authctxt)
 		    type != SSH_CMSG_AUTH_TIS_RESPONSE)
 			abandon_challenge_response(authctxt);
 
+		if (authctxt->failures >= options.max_authtries)
+			goto skip;
 		if ((meth = lookup_authmethod1(type)) == NULL) {
 			logit("Unknown message during authentication: "
 			    "type %d", type);
@@ -368,7 +370,7 @@ do_authloop(Authctxt *authctxt)
 		if (authenticated)
 			return;
 
-		if (authctxt->failures++ > options.max_authtries) {
+		if (++authctxt->failures >= options.max_authtries) {
 #ifdef SSH_AUDIT_EVENTS
 			PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES));
 #endif
diff --git a/auth2.c b/auth2.c
index 4b96c652..a835abfc 100644
--- a/auth2.c
+++ b/auth2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2.c,v 1.118 2008/07/02 13:30:34 djm Exp $ */
+/* $OpenBSD: auth2.c,v 1.119 2008/07/04 23:30:16 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -36,6 +36,7 @@
 #include <unistd.h>
 
 #include "xmalloc.h"
+#include "atomicio.h"
 #include "ssh2.h"
 #include "packet.h"
 #include "log.h"
@@ -333,7 +334,11 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
 		/* now we can break out */
 		authctxt->success = 1;
 	} else {
-		if (++authctxt->failures >= options.max_authtries) {
+
+		/* Allow initial try of "none" auth without failure penalty */
+		if (authctxt->attempt > 1 || strcmp(method, "none") != 0)
+			authctxt->failures++;
+		if (authctxt->failures >= options.max_authtries) {
 #ifdef SSH_AUDIT_EVENTS
 			PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES));
 #endif
-- 
2.45.2