diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2024-09-15 03:18:26 +0200 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2024-09-15 03:23:11 +0200 |
| commit | 0118a4da21147a88a56dc8b90bbc2849fefd5c1e (patch) | |
| tree | bea90dba539be1ff731efd266cee103e7d12a6d9 /auth.c | |
| parent | upstream: Add a "refuseconnection" penalty class to sshd_config (diff) | |
| download | openssh-0118a4da21147a88a56dc8b90bbc2849fefd5c1e.tar.xz openssh-0118a4da21147a88a56dc8b90bbc2849fefd5c1e.zip | |
upstream: add a "Match invalid-user" predicate to sshd_config Match
options.
This allows writing Match conditions that trigger for invalid username.
E.g.
PerSourcePenalties refuseconnection:90s
Match invalid-user
RefuseConnection yes
Will effectively penalise bots try to guess passwords for bogus accounts,
at the cost of implicitly revealing which accounts are invalid.
feedback markus@
OpenBSD-Commit-ID: 93d3a46ca04bbd9d84a94d1e1d9d3a21073fbb07
Diffstat (limited to 'auth.c')
| -rw-r--r-- | auth.c | 3 |
1 files changed, 2 insertions, 1 deletions
@@ -1,4 +1,4 @@ -/* $OpenBSD: auth.c,v 1.161 2024/05/17 00:30:23 djm Exp $ */ +/* $OpenBSD: auth.c,v 1.162 2024/09/15 01:18:26 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -476,6 +476,7 @@ getpwnamallow(struct ssh *ssh, const char *user) ci = server_get_connection_info(ssh, 1, options.use_dns); ci->user = user; + ci->user_invalid = getpwnam(user) == NULL; parse_server_match_config(&options, &includes, ci); log_change_level(options.log_level); log_verbose_reset(); |