improve auth failure delays to avoid indicating which users exist

f7ba7444 · Matt Johnston · 54a76342 · f7ba7444
Commit f7ba7444 authored May 26, 2013 by Matt Johnston
--- a/svr-auth.c
+++ b/svr-auth.c
@@ -110,6 +110,7 @@ void recv_msg_userauth_request() {

 	unsigned char *username = NULL, *servicename = NULL, *methodname = NULL;
 	unsigned int userlen, servicelen, methodlen;
+	int valid_user = 0;

 	TRACE(("enter recv_msg_userauth_request"))

@@ -124,7 +125,6 @@ void recv_msg_userauth_request() {
 		send_msg_userauth_banner();
 	}

-	
 	username = buf_getstring(ses.payload, &userlen);
 	servicename = buf_getstring(ses.payload, &servicelen);
 	methodname = buf_getstring(ses.payload, &methodlen);
@@ -141,12 +141,12 @@ void recv_msg_userauth_request() {
 		dropbear_exit("unknown service in auth");
 	}

-	/* check username is good before continuing */
-	if (checkusername(username, userlen) == DROPBEAR_FAILURE) {
-		/* username is invalid/no shell/etc - send failure */
-		TRACE(("sending checkusername failure"))
-		send_msg_userauth_failure(0, 1);
-		goto out;
+	/* check username is good before continuing. 
+	 * the 'incrfail' varies depending on the auth method to
+	 * avoid giving away which users exist on the system through
+	 * the time delay. */
+	if (checkusername(username, userlen) == DROPBEAR_SUCCESS) {
+		valid_user = 1;
 	}

 	/* user wants to know what methods are supported */
@@ -154,7 +154,8 @@ void recv_msg_userauth_request() {
 			strncmp(methodname, AUTH_METHOD_NONE,
 				AUTH_METHOD_NONE_LEN) == 0) {
 		TRACE(("recv_msg_userauth_request: 'none' request"))
-		if (svr_opts.allowblankpass
+		if (valid_user
+				&& svr_opts.allowblankpass
 				&& !svr_opts.noauthpass
 				&& !(svr_opts.norootpass && ses.authstate.pw_uid == 0) 
 				&& ses.authstate.pw_passwd[0] == '\0') 
@@ -168,6 +169,7 @@ void recv_msg_userauth_request() {
 		}
 		else
 		{
+			/* 'none' has no failure delay */
 			send_msg_userauth_failure(0, 0);
 			goto out;
 		}
@@ -180,8 +182,10 @@ void recv_msg_userauth_request() {
 		if (methodlen == AUTH_METHOD_PASSWORD_LEN &&
 				strncmp(methodname, AUTH_METHOD_PASSWORD,
 					AUTH_METHOD_PASSWORD_LEN) == 0) {
-			svr_auth_password();
-			goto out;
+			if (valid_user) {
+				svr_auth_password();
+				goto out;
+			}
 		}
 	}
 #endif
@@ -193,8 +197,10 @@ void recv_msg_userauth_request() {
 		if (methodlen == AUTH_METHOD_PASSWORD_LEN &&
 				strncmp(methodname, AUTH_METHOD_PASSWORD,
 					AUTH_METHOD_PASSWORD_LEN) == 0) {
-			svr_auth_pam();
-			goto out;
+			if (valid_user) {
+				svr_auth_pam();
+				goto out;
+			}
 		}
 	}
 #endif
@@ -204,12 +210,17 @@ void recv_msg_userauth_request() {
 	if (methodlen == AUTH_METHOD_PUBKEY_LEN &&
 			strncmp(methodname, AUTH_METHOD_PUBKEY,
 				AUTH_METHOD_PUBKEY_LEN) == 0) {
-		svr_auth_pubkey();
+		if (valid_user) {
+			svr_auth_pubkey();
+		} else {
+			/* pubkey has no failure delay */
+			send_msg_userauth_failure(0, 0);
+		}
 		goto out;
 	}
 #endif

-	/* nothing matched, we just fail */
+	/* nothing matched, we just fail with a delay */
 	send_msg_userauth_failure(0, 1);

 out:
@@ -252,7 +263,6 @@ static int checkusername(unsigned char *username, unsigned int userlen) {
 		dropbear_log(LOG_WARNING,
 				"Login attempt for nonexistent user from %s",
 				svr_ses.addrstring);
-		send_msg_userauth_failure(0, 1);
 		return DROPBEAR_FAILURE;
 	}

@@ -264,7 +274,6 @@ static int checkusername(unsigned char *username, unsigned int userlen) {
 				"Login attempt with wrong user %s from %s",
 				ses.authstate.pw_name,
 				svr_ses.addrstring);
-		send_msg_userauth_failure(0, 1);
 		return DROPBEAR_FAILURE;
 	}

@@ -272,7 +281,6 @@ static int checkusername(unsigned char *username, unsigned int userlen) {
 	if (svr_opts.norootlogin && ses.authstate.pw_uid == 0) {
 		TRACE(("leave checkusername: root login disabled"))
 		dropbear_log(LOG_WARNING, "root login rejected");
-		send_msg_userauth_failure(0, 1);
 		return DROPBEAR_FAILURE;
 	}

@@ -301,7 +309,6 @@ static int checkusername(unsigned char *username, unsigned int userlen) {
 	TRACE(("no matching shell"))
 	dropbear_log(LOG_WARNING, "User '%s' has invalid shell, rejected",
 				ses.authstate.pw_name);
-	send_msg_userauth_failure(0, 1);
 	return DROPBEAR_FAILURE;
 	
 goodshell:
@@ -311,7 +318,6 @@ goodshell:
 	TRACE(("uid = %d", ses.authstate.pw_uid))
 	TRACE(("leave checkusername"))
 	return DROPBEAR_SUCCESS;
-
 }

 /* Send a failure message to the client, in responds to a userauth_request.
@@ -358,8 +364,8 @@ void send_msg_userauth_failure(int partial, int incrfail) {
 	if (incrfail) {
 		unsigned int delay;
 		genrandom((unsigned char*)&delay, sizeof(delay));
-		/* We delay for 300ms +- 50ms, 0.1ms granularity */
-		delay = 250000 + (delay % 1000)*100;
+		/* We delay for 300ms +- 50ms */
+		delay = 250000 + (delay % 100000);
 		usleep(delay);
 		ses.authstate.failcount++;
 	}