As a result of the policy allowing changes of username to reset the

authentication state, a failed `password' authentication in SSH-2 was sending us back to trying `none' and `keyboard-interactive' each time round, which uses up OpenSSH's quota of authentication attempts rather quickly. Added a check for `cfg.change_username' to the logic which sends us back to the start. [originally from svn r4849]
2025-03-12 18:13:50 -05:00 · 2004-11-20 17:11:38 +00:00 · 2004-11-20 17:11:38 +00:00 · abf999a809
commit abf999a809
parent da1dfe64bf
1 changed files with 4 additions and 2 deletions
--- a/ssh.c
+++ b/ssh.c
@ -5003,7 +5003,8 @@ static void do_ssh2_authconn(Ssh ssh, unsigned char *in, int inlen, int ispkt)
 		     * Additionally, if we'd just tried password
 		     * authentication, we should break out of this
 		     * whole loop so as to go back to the username
-		     * prompt.
+		     * prompt (iff we're configured to allow
+		     * username change attempts).
 		     */
 		    if (s->type == AUTH_TYPE_NONE) {
 			/* do nothing */
@ -5017,7 +5018,8 @@ static void do_ssh2_authconn(Ssh ssh, unsigned char *in, int inlen, int ispkt)
 		    } else {
 			c_write_str(ssh, "Access denied\r\n");
 			logevent("Access denied");
-			if (s->type == AUTH_TYPE_PASSWORD) {
+			if (s->type == AUTH_TYPE_PASSWORD &&
+			    ssh->cfg.change_username) {
 			    s->we_are_in = FALSE;
 			    break;
 			}