svn commit: r313965 - head/crypto/openssh
Kurt Lidl
lidl at FreeBSD.org
Sun Feb 19 23:31:34 UTC 2017
On 2/19/17 6:22 PM, Oliver Pinter wrote:
> On 2/20/17, Kurt Lidl <lidl at freebsd.org> wrote:
>> On 2/19/17 4:42 PM, Oliver Pinter wrote:
>>> Hello!
>>>
>>> On 2/19/17, Kurt Lidl <lidl at freebsd.org> wrote:
>>>> Author: lidl
>>>> Date: Sun Feb 19 20:35:39 2017
>>>> New Revision: 313965
>>>> URL: https://svnweb.freebsd.org/changeset/base/313965
>>>>
>>>> Log:
>>>> Only notify blacklistd for successful logins in auth.c
>>>
>>> What's the rationale behind this change?
>>
>> Without this change, every pass through auth.c results in a
>> call to blacklist_notify().
>>
>> So, in a normal remote login, you'd get a failed
>> login flagged for the printing of the "xxx login:" prompt,
>> before the remote user could enter a password.
>>
>> If the user successfully entered a good password,
>> you'd get a good login flagged, and everything would be OK.
>>
>> If the user entered an incorrect password, you'd get
>> another failed login in auth1.c (or auth2.c), and finally,
>> when sshd got around to issuing the second "xxx login:"
>> prompt, you'd have yet another failed login notice sent
>> to blacklistd.
>>
>> So, if you had 3 bad logins set to the limit, you'd actually
>> be blocking the address after the first bad login attempt.
>>
>> -Kurt
>
> Thanks for the detailed answer. Could you please include these
> sentences when you MFC this change?
Sure, I will do that.
-Kurt
More information about the svn-src-head
mailing list