Date: Sun, 19 Feb 2017 18:31:32 -0500 From: Kurt Lidl <lidl@FreeBSD.org> To: Oliver Pinter <oliver.pinter@hardenedbsd.org> Cc: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r313965 - head/crypto/openssh Message-ID: <eecb4a52-c794-fe0b-0d44-5a8d1ee82c05@FreeBSD.org> In-Reply-To: <CAPQ4ffvcAr5TPo%2BGQXqZ-LdNZWu2Kt79Yv31TG2kWHWQtYz%2BNA@mail.gmail.com> References: <201702192035.v1JKZdie080791@repo.freebsd.org> <CAPQ4fftcvpWJ=5DG2YNUB4WQUzJPKa_Tzm28MvKrEFzC3dYqUg@mail.gmail.com> <72ddccfb-fa49-b9b1-c0fc-6fa896176091@FreeBSD.org> <CAPQ4ffvcAr5TPo%2BGQXqZ-LdNZWu2Kt79Yv31TG2kWHWQtYz%2BNA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2/19/17 6:22 PM, Oliver Pinter wrote: > On 2/20/17, Kurt Lidl <lidl@freebsd.org> wrote: >> On 2/19/17 4:42 PM, Oliver Pinter wrote: >>> Hello! >>> >>> On 2/19/17, Kurt Lidl <lidl@freebsd.org> wrote: >>>> Author: lidl >>>> Date: Sun Feb 19 20:35:39 2017 >>>> New Revision: 313965 >>>> URL: https://svnweb.freebsd.org/changeset/base/313965 >>>> >>>> Log: >>>> Only notify blacklistd for successful logins in auth.c >>> >>> What's the rationale behind this change? >> >> Without this change, every pass through auth.c results in a >> call to blacklist_notify(). >> >> So, in a normal remote login, you'd get a failed >> login flagged for the printing of the "xxx login:" prompt, >> before the remote user could enter a password. >> >> If the user successfully entered a good password, >> you'd get a good login flagged, and everything would be OK. >> >> If the user entered an incorrect password, you'd get >> another failed login in auth1.c (or auth2.c), and finally, >> when sshd got around to issuing the second "xxx login:" >> prompt, you'd have yet another failed login notice sent >> to blacklistd. >> >> So, if you had 3 bad logins set to the limit, you'd actually >> be blocking the address after the first bad login attempt. >> >> -Kurt > > Thanks for the detailed answer. Could you please include these > sentences when you MFC this change? Sure, I will do that. -Kurt
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?eecb4a52-c794-fe0b-0d44-5a8d1ee82c05>