Skip to content
GitLab
Menu
Projects
Groups
Snippets
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
Menu
Open sidebar
Matt Johnston
dropbear
Commits
f7ba7444
Commit
f7ba7444
authored
May 26, 2013
by
Matt Johnston
Browse files
improve auth failure delays to avoid indicating which users exist
parent
54a76342
Changes
1
Hide whitespace changes
Inline
Side-by-side
svr-auth.c
View file @
f7ba7444
...
...
@@ -110,6 +110,7 @@ void recv_msg_userauth_request() {
unsigned
char
*
username
=
NULL
,
*
servicename
=
NULL
,
*
methodname
=
NULL
;
unsigned
int
userlen
,
servicelen
,
methodlen
;
int
valid_user
=
0
;
TRACE
((
"enter recv_msg_userauth_request"
))
...
...
@@ -124,7 +125,6 @@ void recv_msg_userauth_request() {
send_msg_userauth_banner
();
}
username
=
buf_getstring
(
ses
.
payload
,
&
userlen
);
servicename
=
buf_getstring
(
ses
.
payload
,
&
servicelen
);
methodname
=
buf_getstring
(
ses
.
payload
,
&
methodlen
);
...
...
@@ -141,12 +141,12 @@ void recv_msg_userauth_request() {
dropbear_exit
(
"unknown service in auth"
);
}
/* check username is good before continuing
*/
if
(
checkusername
(
username
,
userlen
)
==
DROPBEAR_FAILURE
)
{
/* username is invalid/no shell/etc - send failure */
TRACE
((
"sending checkusername failure"
))
send_msg_userauth_failure
(
0
,
1
);
goto
out
;
/* check username is good before continuing
.
* the 'incrfail' varies depending on the auth method to
* avoid giving away which users exist on the system through
* the time delay. */
if
(
checkusername
(
username
,
userlen
)
==
DROPBEAR_SUCCESS
)
{
valid_user
=
1
;
}
/* user wants to know what methods are supported */
...
...
@@ -154,7 +154,8 @@ void recv_msg_userauth_request() {
strncmp
(
methodname
,
AUTH_METHOD_NONE
,
AUTH_METHOD_NONE_LEN
)
==
0
)
{
TRACE
((
"recv_msg_userauth_request: 'none' request"
))
if
(
svr_opts
.
allowblankpass
if
(
valid_user
&&
svr_opts
.
allowblankpass
&&
!
svr_opts
.
noauthpass
&&
!
(
svr_opts
.
norootpass
&&
ses
.
authstate
.
pw_uid
==
0
)
&&
ses
.
authstate
.
pw_passwd
[
0
]
==
'\0'
)
...
...
@@ -168,6 +169,7 @@ void recv_msg_userauth_request() {
}
else
{
/* 'none' has no failure delay */
send_msg_userauth_failure
(
0
,
0
);
goto
out
;
}
...
...
@@ -180,8 +182,10 @@ void recv_msg_userauth_request() {
if
(
methodlen
==
AUTH_METHOD_PASSWORD_LEN
&&
strncmp
(
methodname
,
AUTH_METHOD_PASSWORD
,
AUTH_METHOD_PASSWORD_LEN
)
==
0
)
{
svr_auth_password
();
goto
out
;
if
(
valid_user
)
{
svr_auth_password
();
goto
out
;
}
}
}
#endif
...
...
@@ -193,8 +197,10 @@ void recv_msg_userauth_request() {
if
(
methodlen
==
AUTH_METHOD_PASSWORD_LEN
&&
strncmp
(
methodname
,
AUTH_METHOD_PASSWORD
,
AUTH_METHOD_PASSWORD_LEN
)
==
0
)
{
svr_auth_pam
();
goto
out
;
if
(
valid_user
)
{
svr_auth_pam
();
goto
out
;
}
}
}
#endif
...
...
@@ -204,12 +210,17 @@ void recv_msg_userauth_request() {
if
(
methodlen
==
AUTH_METHOD_PUBKEY_LEN
&&
strncmp
(
methodname
,
AUTH_METHOD_PUBKEY
,
AUTH_METHOD_PUBKEY_LEN
)
==
0
)
{
svr_auth_pubkey
();
if
(
valid_user
)
{
svr_auth_pubkey
();
}
else
{
/* pubkey has no failure delay */
send_msg_userauth_failure
(
0
,
0
);
}
goto
out
;
}
#endif
/* nothing matched, we just fail */
/* nothing matched, we just fail
with a delay
*/
send_msg_userauth_failure
(
0
,
1
);
out:
...
...
@@ -252,7 +263,6 @@ static int checkusername(unsigned char *username, unsigned int userlen) {
dropbear_log
(
LOG_WARNING
,
"Login attempt for nonexistent user from %s"
,
svr_ses
.
addrstring
);
send_msg_userauth_failure
(
0
,
1
);
return
DROPBEAR_FAILURE
;
}
...
...
@@ -264,7 +274,6 @@ static int checkusername(unsigned char *username, unsigned int userlen) {
"Login attempt with wrong user %s from %s"
,
ses
.
authstate
.
pw_name
,
svr_ses
.
addrstring
);
send_msg_userauth_failure
(
0
,
1
);
return
DROPBEAR_FAILURE
;
}
...
...
@@ -272,7 +281,6 @@ static int checkusername(unsigned char *username, unsigned int userlen) {
if
(
svr_opts
.
norootlogin
&&
ses
.
authstate
.
pw_uid
==
0
)
{
TRACE
((
"leave checkusername: root login disabled"
))
dropbear_log
(
LOG_WARNING
,
"root login rejected"
);
send_msg_userauth_failure
(
0
,
1
);
return
DROPBEAR_FAILURE
;
}
...
...
@@ -301,7 +309,6 @@ static int checkusername(unsigned char *username, unsigned int userlen) {
TRACE
((
"no matching shell"
))
dropbear_log
(
LOG_WARNING
,
"User '%s' has invalid shell, rejected"
,
ses
.
authstate
.
pw_name
);
send_msg_userauth_failure
(
0
,
1
);
return
DROPBEAR_FAILURE
;
goodshell:
...
...
@@ -311,7 +318,6 @@ goodshell:
TRACE
((
"uid = %d"
,
ses
.
authstate
.
pw_uid
))
TRACE
((
"leave checkusername"
))
return
DROPBEAR_SUCCESS
;
}
/* Send a failure message to the client, in responds to a userauth_request.
...
...
@@ -358,8 +364,8 @@ void send_msg_userauth_failure(int partial, int incrfail) {
if
(
incrfail
)
{
unsigned
int
delay
;
genrandom
((
unsigned
char
*
)
&
delay
,
sizeof
(
delay
));
/* We delay for 300ms +- 50ms
, 0.1ms granularity
*/
delay
=
250000
+
(
delay
%
1000
)
*
1
00
;
/* We delay for 300ms +- 50ms */
delay
=
250000
+
(
delay
%
100000
)
;
usleep
(
delay
);
ses
.
authstate
.
failcount
++
;
}
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment