For anyone trying this: If you 'break userAuthLoop, you'll end up below the
label, which equals success. Probably not what you want :/
instead, I'm now using 'break' and authErr, which gives me the desired
behavior.
diff --git a/ssh/server.go b/ssh/server.go
index 37df1b3..0f4dd74 100644
--- a/ssh/server.go
+++ b/ssh/server.go
@@ -263,6 +263,8 @@ func (s *connection) serverAuthenticate(config
*ServerConfig) (*Permissions, err
var err error
var cache pubKeyCache
var perms *Permissions
+ var sum = 0
+ const maxTries = 1
userAuthLoop:
for {
@@ -300,8 +302,12 @@ userAuthLoop:
if !ok || len(payload) > 0 {
return nil, parseError(msgUserAuthRequest)
}
-
perms, authErr = config.PasswordCallback(s,
password)
+ if sum >= maxTries {
+ authErr = errors.New("ssh: maxTries
reached")
+ break
+ }
+ sum += 1
case "keyboard-interactive":
if config.KeyboardInteractiveCallback == nil {
authErr = errors.New("ssh:
keyboard-interactive auth not configubred")
On Tuesday, March 14, 2017 at 11:34:32 AM UTC+1, ikkini wrote:
>
>
>
> On Sunday, February 26, 2017 at 6:47:34 AM UTC+1, Tamás Gulácsi wrote:
>>
>> Provide a proper PasswordCallback to your server, as in the NewServerConn
>> example (https://godoc.org/golang.org/x/crypto/ssh#NewServerConn).
>>
>> Thats your function, you can program any algorithm you wish.
>>
>
> Thanks for the advise, I looked into it. I was hoping that ssh/server.go
> implemented RFC4252, par. 4::
>
> "[...] Additionally, the implementation SHOULD limit the number of failed
> authentication
> attempts a client may perform in a single session (the RECOMMENDED limit
> is 20 attempts).
> If the threshold is exceeded, the server SHOULD disconnect."
>
> The reason why I need this is that there are currently SSH brute-force
> bots out there which are so badly written, they retry (the same username
> and password combination) for pretty much as long as nothing else times
> out/fails.
>
> Anyway, my attempts to build a maxTries algorithm into PasswordCallback
> were getting uglier by the minute, so I ended up with this solution/kludge
> to limit the amount of retries within a session:
> The good thing about this is the maxTries works per session, which within
> PasswordCallback was a real problem to do (at least for me, I'm still very
> much out of my depth when it comes to golang).
>
> diff --git a/ssh/server.go b/ssh/server.go
> index 37df1b3..4ba569e 100644
> --- a/ssh/server.go
> +++ b/ssh/server.go
> @@ -263,6 +263,8 @@ func (s *connection) serverAuthenticate(config
> *ServerConfig) (*Permissions, err
> var err error
> var cache pubKeyCache
> var perms *Permissions
> + var sum = 0
> + const maxTries = 3
>
> userAuthLoop:
> for {
> @@ -300,8 +302,11 @@ userAuthLoop:
> if !ok || len(payload) > 0 {
> return nil, parseError(msgUserAuthRequest)
> }
> -
> perms, authErr = config.PasswordCallback(s,
> password)
> + if sum >= maxTries {
> + break userAuthLoop
> + }
> + sum += 1
> case "keyboard-interactive":
> if config.KeyboardInteractiveCallback == nil {
> authErr = errors.New("ssh:
> keyboard-interactive auth not configubred")
>
>
>
>
--
You received this message because you are subscribed to the Google Groups
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
