OpenBSD CVS

CVS log for src/usr.bin/ssh/srclimit.c

[BACK] Up to [local] / src / usr.bin / ssh

Request diff between arbitrary revisions

Default branch: MAIN

Revision 1.15 / (download) - annotate - [select for diffs], Tue Dec 16 08:32:50 2025 UTC (12 days, 19 hours ago) by dtucker
Branch: MAIN
CVS Tags: HEAD
Changes since 1.14: +5 -1 lines
Diff to previous 1.14 (colored) 

Add 'invaliduser' penalty to PerSourcePenalties, which is applied
to login attempts for usernames that do not match real accounts.
Defaults to 5s to match 'authfail' but allows administrators to
block such sources for longer if desired.  with & ok djm@

Revision 1.14 / (download) - annotate - [select for diffs], Fri Dec 5 07:49:45 2025 UTC (3 weeks, 2 days ago) by djm
Branch: MAIN
Changes since 1.13: +20 -16 lines
Diff to previous 1.13 (colored) 

convert PerSourcePenalties to using floating point time, allowing
penalties to be less than a second. This is useful if you need to
penalise things you expect to occur at >=1 QPS.

feedback dtucker / deraadt; ok deraadt@

Revision 1.13 / (download) - annotate - [select for diffs], Fri Sep 19 01:32:45 2025 UTC (3 months, 1 week ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_7_8_BASE, OPENBSD_7_8
Changes since 1.12: +4 -2 lines
Diff to previous 1.12 (colored) 

log at level INFO when PerSourcePenalties actually blocks access
to a source address range. Previously this was logged at level
VERBOSE, which hid enforcement actions under default config
settings.

ok dtucker, markus

Revision 1.12 / (download) - annotate - [select for diffs], Tue Sep 2 09:26:21 2025 UTC (3 months, 3 weeks ago) by djm
Branch: MAIN
Changes since 1.11: +5 -5 lines
Diff to previous 1.11 (colored) 

replace remaining cases where we manually included __func__ in a
debug or error log with the respective *_f log variant

Revision 1.11 / (download) - annotate - [select for diffs], Sun Mar 2 22:44:00 2025 UTC (9 months, 3 weeks ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_7_7_BASE, OPENBSD_7_7
Changes since 1.10: +1 -1 lines
Diff to previous 1.10 (colored) 

fix PerSourcePenalty incorrectly using "crash" penalty when LoginGraceTime
was exceeded. Reported by irwin AT princeton.edu via bz3797

Revision 1.10 / (download) - annotate - [select for diffs], Sun Sep 15 01:11:26 2024 UTC (15 months, 1 week ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_7_6_BASE, OPENBSD_7_6
Changes since 1.9: +4 -0 lines
Diff to previous 1.9 (colored) 

Add a "refuseconnection" penalty class to sshd_config
PerSourcePenalties

This allows penalising connection sources that have had connections
dropped by the RefuseConnection option. ok markus@

Revision 1.9 / (download) - annotate - [select for diffs], Thu Jun 20 00:18:05 2024 UTC (18 months, 1 week ago) by djm
Branch: MAIN
Changes since 1.8: +1 -1 lines
Diff to previous 1.8 (colored) 

stricter check for overfull tables in penalty record path

Revision 1.8 / (download) - annotate - [select for diffs], Wed Jun 12 22:36:00 2024 UTC (18 months, 2 weeks ago) by djm
Branch: MAIN
Changes since 1.7: +113 -57 lines
Diff to previous 1.7 (colored) 

split PerSourcePenalties address tracking. Previously it used one
shared table and overflow policy for IPv4 and IPv6 addresses, now
it will use separate tables and optionally different overflow
policies.

This prevents misbehaviour from IPv6 addresses (which are vastly easier
to obtain many of) from affecting IPv4 connections and may allow for
stricter overflow policies.

ok deraadt@

Revision 1.7 / (download) - annotate - [select for diffs], Tue Jun 11 01:23:25 2024 UTC (18 months, 2 weeks ago) by djm
Branch: MAIN
Changes since 1.6: +2 -2 lines
Diff to previous 1.6 (colored) 

a little more RB_TREE paranoia

Revision 1.6 / (download) - annotate - [select for diffs], Tue Jun 11 01:22:25 2024 UTC (18 months, 2 weeks ago) by djm
Branch: MAIN
Changes since 1.5: +1 -1 lines
Diff to previous 1.5 (colored) 

fix off-by-one comparison for PerSourcePenalty overflow:deny-all mode

Revision 1.5 / (download) - annotate - [select for diffs], Tue Jun 11 01:21:41 2024 UTC (18 months, 2 weeks ago) by djm
Branch: MAIN
Changes since 1.4: +2 -2 lines
Diff to previous 1.4 (colored) 

move tree init before possible early return

Revision 1.4 / (download) - annotate - [select for diffs], Fri Jun 7 13:23:30 2024 UTC (18 months, 3 weeks ago) by deraadt
Branch: MAIN
Changes since 1.3: +9 -9 lines
Diff to previous 1.3 (colored) 

avoid shadowing issues which some compilers won't accept
ok djm

Revision 1.3 / (download) - annotate - [select for diffs], Thu Jun 6 17:15:25 2024 UTC (18 months, 3 weeks ago) by djm
Branch: MAIN
Changes since 1.2: +307 -15 lines
Diff to previous 1.2 (colored) 

Add a facility to sshd(8) to penalise particular problematic client
behaviours, controlled by two new sshd_config(5) options:
PerSourcePenalties and PerSourcePenaltyExemptList.

When PerSourcePenalties are enabled, sshd(8) will monitor the exit
status of its child pre-auth session processes. Through the exit
status, it can observe situations where the session did not
authenticate as expected. These conditions include when the client
repeatedly attempted authentication unsucessfully (possibly indicating
an attack against one or more accounts, e.g. password guessing), or
when client behaviour caused sshd to crash (possibly indicating
attempts to exploit sshd).

When such a condition is observed, sshd will record a penalty of some
duration (e.g. 30 seconds) against the client's address. If this time
is above a minimum threshold specified by the PerSourcePenalties, then
connections from the client address will be refused (along with any
others in the same PerSourceNetBlockSize CIDR range).

Repeated offenses by the same client address will accrue greater
penalties, up to a configurable maximum. A PerSourcePenaltyExemptList
option allows certain address ranges to be exempt from all penalties.

We hope these options will make it significantly more difficult for
attackers to find accounts with weak/guessable passwords or exploit
bugs in sshd(8) itself.

PerSourcePenalties is off by default, but we expect to enable it
automatically in the near future.

much feedback markus@ and others, ok markus@

Revision 1.2 / (download) - annotate - [select for diffs], Sat Apr 3 06:18:41 2021 UTC (4 years, 8 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_7_5_BASE, OPENBSD_7_5, OPENBSD_7_4_BASE, OPENBSD_7_4, OPENBSD_7_3_BASE, OPENBSD_7_3, OPENBSD_7_2_BASE, OPENBSD_7_2, OPENBSD_7_1_BASE, OPENBSD_7_1, OPENBSD_7_0_BASE, OPENBSD_7_0, OPENBSD_6_9_BASE, OPENBSD_6_9
Changes since 1.1: +1 -1 lines
Diff to previous 1.1 (colored) 

highly polished whitespace, mostly fixing spaces-for-tab and bad
indentation on continuation lines. Prompted by GHPR#185

Revision 1.1 / (download) - annotate - [select for diffs], Sat Jan 9 12:10:02 2021 UTC (4 years, 11 months ago) by dtucker
Branch: MAIN 

Add PerSourceMaxStartups and PerSourceNetBlockSize options which provide
more fine grained MaxStartups limits.  Man page help jmc@, feedback &
ok djm@

This form allows you to request diff's between any two revisions of a file. You may select a symbolic revision name using the selection box or you may type in a numeric name using the type-in text box.