Google Git
Sign in
go / crypto / 1e6e3497d506cca640d89d202b2070f00e81b0cb^! / .
commit1e6e3497d506cca640d89d202b2070f00e81b0cb[log] [tgz]
authorRoland Shoemaker <roland@golang.org>Fri Feb 11 14:29:42 2022 -0800
committerGopher Robot <gobot@golang.org>Sun Feb 13 19:09:39 2022 +0000
treecb7040f4ef2da0de9b50910a4c3f76ccbdb693fa
parentf4118a5b28e206eb1f30037b11ab68a3cd5e6442 [diff]
crypto/ssh: don't send the last auth failure message if disconnecting

If we are going to send the disconnect message and close the connection,
because we have exhausted the number of authentication attempts, don't
send the final authentication failure message. This behavior matches
that of OpenSSH.

Fixes golang/go#51149

Change-Id: I43b2de2e854f789161cd7fd6c05876661adfb2c1
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/385236
Trust: Roland Shoemaker <roland@golang.org>
Run-TryBot: Roland Shoemaker <roland@golang.org>
Auto-Submit: Roland Shoemaker <roland@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>

diff --git a/ssh/server.go b/ssh/server.go
index 6a58e12..8e01365 100644
--- a/ssh/server.go
+++ b/ssh/server.go

@@ -633,6 +633,30 @@
 		}
 
 		authFailures++
+		if config.MaxAuthTries > 0 && authFailures >= config.MaxAuthTries {
+			// If we have hit the max attemps, don't bother sending the
+			// final SSH_MSG_USERAUTH_FAILURE message, since there are
+			// no more authentication methods which can be attempted,
+			// and this message may cause the client to re-attempt
+			// authentication while we send the disconnect message.
+			// Continue, and trigger the disconnect at the start of
+			// the loop.
+			//
+			// The SSH specification is somewhat confusing about this,
+			// RFC 4252 Section 5.1 requires each authentication failure
+			// be responded to with a respective SSH_MSG_USERAUTH_FAILURE
+			// message, but Section 4 says the server should disconnect
+			// after some number of attempts, but it isn't explicit which
+			// message should take precedence (i.e. should there be a failure
+			// message than a disconnect message, or if we are going to
+			// disconnect, should we only send that message.)
+			//
+			// Either way, OpenSSH disconnects immediately after the last
+			// failed authnetication attempt, and given they are typically
+			// considered the golden implementation it seems reasonable
+			// to match that behavior.
+			continue
+		}
 
 		var failureMsg userAuthFailureMsg
 		if config.PasswordCallback != nil {