aboutsummaryrefslogtreecommitdiffstats
path: root/crypto
diff options
context:
space:
mode:
authorKurt Lidl <lidl@FreeBSD.org>2017-02-22 04:15:39 +0000
committerKurt Lidl <lidl@FreeBSD.org>2017-02-22 04:15:39 +0000
commit3346c1364dfa28ed709bca4b54ab45673bb075ca (patch)
treec442af78e3f5d46dc637499bcd17ec249c447670 /crypto
parentfe087e2d21569ffdd81f7f37281d79683fa01e16 (diff)
downloadsrc-3346c1364dfa28ed709bca4b54ab45673bb075ca.tar.gz
src-3346c1364dfa28ed709bca4b54ab45673bb075ca.zip
MFC r313965:
Only notify blacklistd for successful logins in auth.c Before this change, every pass through auth.c resulted in a call to blacklist_notify(). In a normal remote login, there would be a failed login flagged for the printing of the "xxx login:" prompt, before the remote user could enter a password. If the user successfully entered a good password, then a good login would be flagged, and everything would be OK. If the user entered an incorrect password, there would be another failed login flagged in auth1.c (or auth2.c) for the actual bad password attempt. Finally, when sshd got around to issuing the second "xxx login:" prompt, there would be yet another failed login notice sent to blacklistd. So, if there was a 3 bad logins limit set (the default), the system would actually block the address after the first bad password attempt. Reported by: Rick Adams Reviewed by: des Sponsored by: The FreeBSD Foundation
Notes
Notes: svn path=/stable/11/; revision=314072
Diffstat (limited to 'crypto')
-rw-r--r--crypto/openssh/auth.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/crypto/openssh/auth.c b/crypto/openssh/auth.c
index 1259385f8af9..c5dac04d6a5b 100644
--- a/crypto/openssh/auth.c
+++ b/crypto/openssh/auth.c
@@ -295,8 +295,8 @@ auth_log(Authctxt *authctxt, int authenticated, int partial,
authmsg = "Partial";
else {
authmsg = authenticated ? "Accepted" : "Failed";
- BLACKLIST_NOTIFY(authenticated ?
- BLACKLIST_AUTH_OK : BLACKLIST_AUTH_FAIL);
+ if (authenticated)
+ BLACKLIST_NOTIFY(BLACKLIST_AUTH_OK);
}
authlog("%s %s%s%s for %s%.100s from %.200s port %d %s%s%s",