diff options
| author | Nicholas Marriott <nicm@openbsd.org> | 2009-09-02 16:38:35 +0000 |
|---|---|---|
| committer | Nicholas Marriott <nicm@openbsd.org> | 2009-09-02 16:38:35 +0000 |
| commit | c5ac2579bac08f46f68ee7b9b9e47b6123e83bd2 (patch) | |
| tree | 5737b5805ca0cf415d3457c80860e6874e7f6b72 /server-fn.c | |
| parent | 61b7dc522d175c5f2a8b38d177adcf7282820380 (diff) | |
When incorrect passwords are entered, behave similarly to login(1) and backoff
for a bit. Based on a diff from martynas@.
Diffstat (limited to 'server-fn.c')
| -rw-r--r-- | server-fn.c | 41 |
1 files changed, 38 insertions, 3 deletions
diff --git a/server-fn.c b/server-fn.c index 568751df..8486b6c9 100644 --- a/server-fn.c +++ b/server-fn.c @@ -18,6 +18,8 @@ #include <sys/types.h> +#include <login_cap.h> +#include <pwd.h> #include <string.h> #include <time.h> #include <unistd.h> @@ -159,12 +161,20 @@ server_status_window(struct window *w) void server_lock(void) { - struct client *c; - u_int i; + struct client *c; + static struct passwd *pw, pwstore; + static char pwbuf[_PW_BUF_LEN]; + u_int i; if (server_locked) return; + if (getpwuid_r(getuid(), &pwstore, pwbuf, sizeof pwbuf, &pw) != 0) { + server_locked_pw = NULL; + return; + } + server_locked_pw = pw; + for (i = 0; i < ARRAY_LENGTH(&clients); i++) { c = ARRAY_ITEM(&clients, i); if (c == NULL || c->session == NULL) @@ -175,6 +185,7 @@ server_lock(void) "Password:", server_lock_callback, NULL, c, PROMPT_HIDDEN); server_redraw_client(c); } + server_locked = 1; } @@ -188,12 +199,16 @@ int server_unlock(const char *s) { struct client *c; + login_cap_t *lc; u_int i; char *out; + u_int failures, tries, backoff; - if (!server_locked) + if (!server_locked || server_locked_pw == NULL) return (0); server_activity = time(NULL); + if (server_activity < password_backoff) + return (-2); if (server_password != NULL) { if (s == NULL) @@ -214,10 +229,13 @@ server_unlock(const char *s) server_locked = 0; password_failures = 0; + password_backoff = 0; return (0); wrong: + password_backoff = server_activity; password_failures++; + for (i = 0; i < ARRAY_LENGTH(&clients); i++) { c = ARRAY_ITEM(&clients, i); if (c == NULL || c->prompt_buffer == NULL) @@ -228,6 +246,23 @@ wrong: server_redraw_client(c); } + /* + * Start slowing down after "login-backoff" attempts and reset every + * "login-tries" attempts. + */ + lc = login_getclass(server_locked_pw->pw_class); + if (lc != NULL) { + tries = login_getcapnum(lc, (char *) "login-tries", 10, 10); + backoff = login_getcapnum(lc, (char *) "login-backoff", 3, 3); + } else { + tries = 10; + backoff = 3; + } + failures = password_failures % tries; + if (failures > backoff) { + password_backoff += ((failures - backoff) * tries / 2); + return (-2); + } return (-1); } |