2
# User Matt Johnston <matt@ucc.asn.au>
3
# Date 1369564764 -28800
4
# Node ID d7784616409a427f3bc6eb9e0d3f8b942404fe5b
5
# Parent e0084f136cb88f8530928d85378b1d344d41f789
6
improve auth failure delays to avoid indicating which users exist
8
--- a/svr-auth.c 2013-10-15 23:57:41.935735500 -0400
9
+++ b/svr-auth.c 2013-10-16 00:05:10.343719116 -0400
12
unsigned char *username = NULL, *servicename = NULL, *methodname = NULL;
13
unsigned int userlen, servicelen, methodlen;
16
TRACE(("enter recv_msg_userauth_request"))
19
dropbear_exit("unknown service in auth");
22
+ /* check username is good before continuing.
23
+ * the 'incrfail' varies depending on the auth method to
24
+ * avoid giving away which users exist on the system through
25
+ * the time delay. */
26
+ if (checkusername(username, userlen) == DROPBEAR_SUCCESS) {
30
/* user wants to know what methods are supported */
31
if (methodlen == AUTH_METHOD_NONE_LEN &&
32
strncmp(methodname, AUTH_METHOD_NONE,
34
send_msg_userauth_failure(0, 0);
38
- /* check username is good before continuing */
39
- if (checkusername(username, userlen) == DROPBEAR_FAILURE) {
40
- /* username is invalid/no shell/etc - send failure */
41
- TRACE(("sending checkusername failure"))
42
- send_msg_userauth_failure(0, 1);
46
#ifdef ENABLE_SVR_PASSWORD_AUTH
47
if (!svr_opts.noauthpass &&
49
if (methodlen == AUTH_METHOD_PASSWORD_LEN &&
50
strncmp(methodname, AUTH_METHOD_PASSWORD,
51
AUTH_METHOD_PASSWORD_LEN) == 0) {
52
- svr_auth_password();
55
+ svr_auth_password();
62
if (methodlen == AUTH_METHOD_PASSWORD_LEN &&
63
strncmp(methodname, AUTH_METHOD_PASSWORD,
64
AUTH_METHOD_PASSWORD_LEN) == 0) {
75
if (methodlen == AUTH_METHOD_PUBKEY_LEN &&
76
strncmp(methodname, AUTH_METHOD_PUBKEY,
77
AUTH_METHOD_PUBKEY_LEN) == 0) {
82
+ /* pubkey has no failure delay */
83
+ send_msg_userauth_failure(0, 0);
89
- /* nothing matched, we just fail */
90
+ /* nothing matched, we just fail with a delay */
91
send_msg_userauth_failure(0, 1);
95
dropbear_log(LOG_WARNING,
96
"Login attempt for nonexistent user from %s",
98
- send_msg_userauth_failure(0, 1);
99
return DROPBEAR_FAILURE;
103
if (svr_opts.norootlogin && ses.authstate.pw_uid == 0) {
104
TRACE(("leave checkusername: root login disabled"))
105
dropbear_log(LOG_WARNING, "root login rejected");
106
- send_msg_userauth_failure(0, 1);
107
return DROPBEAR_FAILURE;
111
TRACE(("no matching shell"))
112
dropbear_log(LOG_WARNING, "User '%s' has invalid shell, rejected",
113
ses.authstate.pw_name);
114
- send_msg_userauth_failure(0, 1);
115
return DROPBEAR_FAILURE;
119
TRACE(("uid = %d", ses.authstate.pw_uid))
120
TRACE(("leave checkusername"))
121
return DROPBEAR_SUCCESS;
125
/* Send a failure message to the client, in responds to a userauth_request.
129
genrandom((unsigned char*)&delay, sizeof(delay));
130
- /* We delay for 300ms +- 50ms, 0.1ms granularity */
131
- delay = 250000 + (delay % 1000)*100;
132
+ /* We delay for 300ms +- 50ms */
133
+ delay = 250000 + (delay % 100000);
135
ses.authstate.failcount++;