Created attachment 1447 [details] fix for the bug reported sshd permits 2 more auth failures then it should have according to MaxAuthTries. See example: sshd -o MaxAuthTries=4 .... and the output shows that there were 5 failures + the last one not logged using "attempt X failures Y" message which makes it 6 in total: debug1: attempt 0 failures 0 debug2: input_userauth_request: setting up authctxt for janp debug2: input_userauth_request: try method none Failed none for janp from 127.0.0.1 port 52777 ssh2 debug1: attempt 1 failures 1 debug2: input_userauth_request: try method publickey debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa Failed publickey for janp from 127.0.0.1 port 52777 ssh2 debug1: attempt 2 failures 2 debug2: input_userauth_request: try method publickey debug2: userauth_pubkey: authenticated 0 pkalg ssh-dss Failed publickey for janp from 127.0.0.1 port 52777 ssh2 debug1: attempt 3 failures 3 debug2: input_userauth_request: try method keyboard-interactive Failed keyboard-interactive for janp from 127.0.0.1 port 52777 ssh2 debug1: attempt 4 failures 4 debug2: input_userauth_request: try method password Failed password for janp from 127.0.0.1 port 52777 ssh2 debug1: attempt 5 failures 5 debug2: input_userauth_request: try method password Failed password for janp from 127.0.0.1 port 52777 ssh2 the problem is this piece of code: if (authctxt->failures++ > options.max_auth_tries) { (1) failures should be incremented before the test and (2) there should be '=' (or >= to be sure), not just '>'. After the simple fix it works as expected. while not a big deal I suggest to fix it since from my experience people are quite often confused by that. Patch attached.
If we change this, perhaps we should also increase the default (and documentation thereof) so that the default behaviour does not change? Otherwise this change might result in a number of existing configurations that currently work showing auth failures after an upgrade?
makes sense. I can see that DEFAULT_AUTH_FAIL_MAX is 6. None, 2 hostbased and 2 pubkey auth tries makes 5 of them. While this won't break many automated systems (I don't think that many configurations have more than 2 public keys, for example) it would leave just one try for password/kbd-interactive auth. to increase DEFAULT_AUTH_FAIL_MAX to 8 sounds very logical.
I was looking to apply this, but I reread it and while I agree it's off by one I can't see two. The man page says: MaxAuthTries Specifies the maximum number of authentication attempts permitted per connection. Once the number of failures reaches half this value, additional failures are logged. The default is 6. so in the example you gave attempt #4 is the maximum, and #5 is above the maximum.
the 1st attempt is #0, not #1.
a fix for this has been committed: Both protocol 1 and 2 now check that failures < max_auth_tries before running the auth method (allowing MaxAuthTries=0 to work). Failure is now pre-incremented and the test is "<=", not "<". Finally, protocol 2 allows an initial authentication attempt with the "none" method without penalty if MaxAuthTries>0 because of its slightly-special nature in the protocol.
Mass update RESOLVED->CLOSED after release of openssh-5.1