From 93c19f6170143e344cf65c1f086f3ac880b63dc2 Mon Sep 17 00:00:00 2001 From: Roland Shoemaker Date: Fri, 11 Feb 2022 14:29:42 -0800 Subject: [PATCH] crypto/ssh: don't send the last auth failure message if disconnecting If we are going to send the disconnect message and close the connection, because we have exhausted the number of authentication attempts, don't send the final authentication failure message. This behavior matches that of OpenSSH. Fixes golang/go#51149 Change-Id: I43b2de2e854f789161cd7fd6c05876661adfb2c1 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/385236 Trust: Roland Shoemaker Run-TryBot: Roland Shoemaker Auto-Submit: Roland Shoemaker TryBot-Result: Gopher Robot Reviewed-by: Ian Lance Taylor --- ssh/server.go | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/ssh/server.go b/ssh/server.go index 6a58e12089..8e013651cb 100644 --- a/ssh/server.go +++ b/ssh/server.go @@ -633,6 +633,30 @@ userAuthLoop: } authFailures++ + if config.MaxAuthTries > 0 && authFailures >= config.MaxAuthTries { + // If we have hit the max attemps, don't bother sending the + // final SSH_MSG_USERAUTH_FAILURE message, since there are + // no more authentication methods which can be attempted, + // and this message may cause the client to re-attempt + // authentication while we send the disconnect message. + // Continue, and trigger the disconnect at the start of + // the loop. + // + // The SSH specification is somewhat confusing about this, + // RFC 4252 Section 5.1 requires each authentication failure + // be responded to with a respective SSH_MSG_USERAUTH_FAILURE + // message, but Section 4 says the server should disconnect + // after some number of attempts, but it isn't explicit which + // message should take precedence (i.e. should there be a failure + // message than a disconnect message, or if we are going to + // disconnect, should we only send that message.) + // + // Either way, OpenSSH disconnects immediately after the last + // failed authnetication attempt, and given they are typically + // considered the golden implementation it seems reasonable + // to match that behavior. + continue + } var failureMsg userAuthFailureMsg if config.PasswordCallback != nil {