Skip to content
Snippets Groups Projects

Compare revisions

Changes are shown as if the source revision was being merged into the target revision. Learn more about comparing revisions.

Source

Select target project
No results found

Target

Select target project
  • Geofferey/dropbear
1 result
Show changes
Commits on Source (4)
Hide whitespace changes
Inline Side-by-side
default_options.h
View file @ ddbc8113
@@ -385,6 +385,12 @@ Homedir is prepended unless path begins with / */
@@ -385,6 +385,12 @@ Homedir is prepended unless path begins with / */
#define MAX_AUTH_TRIES 10 #define MAX_AUTH_TRIES 10
#endif #endif
   
/* Default maximum number of failed authentication tries.
* defaults to MAX_AUTH_TRIES */
#ifndef DEFAULT_AUTH_TRIES
#define DEFAULT_AUTH_TRIES MAX_AUTH_TRIES
#endif
/* The default file to store the daemon's process ID, for shutdown /* The default file to store the daemon's process ID, for shutdown
scripts etc. This can be overridden with the -P flag */ scripts etc. This can be overridden with the -P flag */
#ifndef DROPBEAR_PIDFILE #ifndef DROPBEAR_PIDFILE
default_options.h.in
View file @ ddbc8113
@@ -261,6 +261,10 @@ Homedir is prepended unless path begins with / */
@@ -261,6 +261,10 @@ Homedir is prepended unless path begins with / */
/* Maximum number of failed authentication tries (server option) */ /* Maximum number of failed authentication tries (server option) */
#define MAX_AUTH_TRIES 10 #define MAX_AUTH_TRIES 10
   
/* Default maximum number of failed authentication tries.
* defaults to MAX_AUTH_TRIES */
#define DEFAULT_AUTH_TRIES MAX_AUTH_TRIES
/* The default file to store the daemon's process ID, for shutdown /* The default file to store the daemon's process ID, for shutdown
scripts etc. This can be overridden with the -P flag */ scripts etc. This can be overridden with the -P flag */
#define DROPBEAR_PIDFILE "/var/run/dropbear.pid" #define DROPBEAR_PIDFILE "/var/run/dropbear.pid"
dropbear.8
View file @ ddbc8113
@@ -91,6 +91,9 @@ if 0 disables keepalives. If no response is received for 3 consecutive keepalive
@@ -91,6 +91,9 @@ if 0 disables keepalives. If no response is received for 3 consecutive keepalive
.B \-I \fIidle_timeout .B \-I \fIidle_timeout
Disconnect the session if no traffic is transmitted or received for \fIidle_timeout\fR seconds. Disconnect the session if no traffic is transmitted or received for \fIidle_timeout\fR seconds.
.TP .TP
.B \-T \fImax_authentication_attempts
Disconnect the session if number of authentication attempts is exceeded. default is set at compile time to DEFAULT_AUTH_TRIES which itself defaults to MAX_AUTH_TRIES (10)
.TP
.B \-c \fIforced_command .B \-c \fIforced_command
Disregard the command provided by the user and always run \fIforced_command\fR. This also Disregard the command provided by the user and always run \fIforced_command\fR. This also
overrides any authorized_keys command= option. overrides any authorized_keys command= option.
runopts.h
View file @ ddbc8113
@@ -96,6 +96,7 @@ typedef struct svr_runopts {
@@ -96,6 +96,7 @@ typedef struct svr_runopts {
int noauthpass; int noauthpass;
int norootpass; int norootpass;
int allowblankpass; int allowblankpass;
unsigned int maxauthtries;
   
#if DROPBEAR_SVR_REMOTETCPFWD #if DROPBEAR_SVR_REMOTETCPFWD
int noremotetcp; int noremotetcp;
svr-auth.c
View file @ ddbc8113
@@ -362,7 +362,7 @@ void send_msg_userauth_failure(int partial, int incrfail) {
@@ -362,7 +362,7 @@ void send_msg_userauth_failure(int partial, int incrfail) {
ses.authstate.failcount++; ses.authstate.failcount++;
} }
   
if (ses.authstate.failcount >= MAX_AUTH_TRIES) { if (ses.authstate.failcount >= svr_opts.maxauthtries) {
char * userstr; char * userstr;
/* XXX - send disconnect ? */ /* XXX - send disconnect ? */
TRACE(("Max auth tries reached, exiting")) TRACE(("Max auth tries reached, exiting"))
svr-runopts.c
View file @ ddbc8113
@@ -73,6 +73,7 @@ static void printhelp(const char * progname) {
@@ -73,6 +73,7 @@ static void printhelp(const char * progname) {
"-g Disable password logins for root\n" "-g Disable password logins for root\n"
"-B Allow blank password logins\n" "-B Allow blank password logins\n"
#endif #endif
"-T <1 to %d> Maximum authentication tries (default %d)\n"
#if DROPBEAR_SVR_LOCALTCPFWD #if DROPBEAR_SVR_LOCALTCPFWD
"-j Disable local port forwarding\n" "-j Disable local port forwarding\n"
#endif #endif
@@ -107,6 +108,7 @@ static void printhelp(const char * progname) {
@@ -107,6 +108,7 @@ static void printhelp(const char * progname) {
#if DROPBEAR_ECDSA #if DROPBEAR_ECDSA
ECDSA_PRIV_FILENAME, ECDSA_PRIV_FILENAME,
#endif #endif
MAX_AUTH_TRIES, DEFAULT_AUTH_TRIES,
DROPBEAR_MAX_PORTS, DROPBEAR_DEFPORT, DROPBEAR_PIDFILE, DROPBEAR_MAX_PORTS, DROPBEAR_DEFPORT, DROPBEAR_PIDFILE,
DEFAULT_RECV_WINDOW, DEFAULT_KEEPALIVE, DEFAULT_IDLE_TIMEOUT); DEFAULT_RECV_WINDOW, DEFAULT_KEEPALIVE, DEFAULT_IDLE_TIMEOUT);
} }
@@ -119,6 +121,7 @@ void svr_getopts(int argc, char ** argv) {
@@ -119,6 +121,7 @@ void svr_getopts(int argc, char ** argv) {
char* recv_window_arg = NULL; char* recv_window_arg = NULL;
char* keepalive_arg = NULL; char* keepalive_arg = NULL;
char* idle_timeout_arg = NULL; char* idle_timeout_arg = NULL;
char* maxauthtries_arg = NULL;
char* keyfile = NULL; char* keyfile = NULL;
char c; char c;
   
@@ -132,6 +135,7 @@ void svr_getopts(int argc, char ** argv) {
@@ -132,6 +135,7 @@ void svr_getopts(int argc, char ** argv) {
svr_opts.noauthpass = 0; svr_opts.noauthpass = 0;
svr_opts.norootpass = 0; svr_opts.norootpass = 0;
svr_opts.allowblankpass = 0; svr_opts.allowblankpass = 0;
svr_opts.maxauthtries = DEFAULT_AUTH_TRIES;
svr_opts.inetdmode = 0; svr_opts.inetdmode = 0;
svr_opts.portcount = 0; svr_opts.portcount = 0;
svr_opts.hostkey = NULL; svr_opts.hostkey = NULL;
@@ -235,6 +239,9 @@ void svr_getopts(int argc, char ** argv) {
@@ -235,6 +239,9 @@ void svr_getopts(int argc, char ** argv) {
case 'I': case 'I':
next = &idle_timeout_arg; next = &idle_timeout_arg;
break; break;
case 'T':
next = &maxauthtries_arg;
break;
#if DROPBEAR_SVR_PASSWORD_AUTH || DROPBEAR_SVR_PAM_AUTH #if DROPBEAR_SVR_PASSWORD_AUTH || DROPBEAR_SVR_PAM_AUTH
case 's': case 's':
svr_opts.noauthpass = 1; svr_opts.noauthpass = 1;
@@ -331,6 +338,16 @@ void svr_getopts(int argc, char ** argv) {
@@ -331,6 +338,16 @@ void svr_getopts(int argc, char ** argv) {
dropbear_exit("Bad recv window '%s'", recv_window_arg); dropbear_exit("Bad recv window '%s'", recv_window_arg);
} }
} }
if (maxauthtries_arg) {
unsigned int val = 0;
if (m_str_to_uint(maxauthtries_arg, &val) == DROPBEAR_FAILURE ||
val == 0 || val > MAX_AUTH_TRIES) {
dropbear_exit("Bad maxauthtries '%s'", maxauthtries_arg);
}
svr_opts.maxauthtries = val;
}
if (keepalive_arg) { if (keepalive_arg) {
unsigned int val; unsigned int val;
sysoptions.h
View file @ ddbc8113
@@ -235,11 +235,13 @@
@@ -235,11 +235,13 @@
#define DROPBEAR_VFORK 1 #define DROPBEAR_VFORK 1
#endif #endif
   
#ifndef DROPBEAR_LISTEN_BACKLOG
#if MAX_UNAUTH_CLIENTS > MAX_CHANNELS #if MAX_UNAUTH_CLIENTS > MAX_CHANNELS
#define DROPBEAR_LISTEN_BACKLOG MAX_UNAUTH_CLIENTS #define DROPBEAR_LISTEN_BACKLOG MAX_UNAUTH_CLIENTS
#else #else
#define DROPBEAR_LISTEN_BACKLOG MAX_CHANNELS #define DROPBEAR_LISTEN_BACKLOG MAX_CHANNELS
#endif #endif
#endif
   
#ifndef DROPBEAR_NONE_CIPHER #ifndef DROPBEAR_NONE_CIPHER
#define DROPBEAR_NONE_CIPHER 0 #define DROPBEAR_NONE_CIPHER 0