From f7ba7444e8fa4aae31070cc93822962d78941276 Mon Sep 17 00:00:00 2001 From: Matt Johnston Date: Sun, 26 May 2013 18:39:24 +0800 Subject: improve auth failure delays to avoid indicating which users exist --- svr-auth.c | 48 +++++++++++++++++++++++++++--------------------- 1 file changed, 27 insertions(+), 21 deletions(-) (limited to 'svr-auth.c') diff --git a/svr-auth.c b/svr-auth.c index 1912660..01d4520 100644 --- a/svr-auth.c +++ b/svr-auth.c @@ -110,6 +110,7 @@ void recv_msg_userauth_request() { unsigned char *username = NULL, *servicename = NULL, *methodname = NULL; unsigned int userlen, servicelen, methodlen; + int valid_user = 0; TRACE(("enter recv_msg_userauth_request")) @@ -124,7 +125,6 @@ void recv_msg_userauth_request() { send_msg_userauth_banner(); } - username = buf_getstring(ses.payload, &userlen); servicename = buf_getstring(ses.payload, &servicelen); methodname = buf_getstring(ses.payload, &methodlen); @@ -141,12 +141,12 @@ void recv_msg_userauth_request() { dropbear_exit("unknown service in auth"); } - /* check username is good before continuing */ - if (checkusername(username, userlen) == DROPBEAR_FAILURE) { - /* username is invalid/no shell/etc - send failure */ - TRACE(("sending checkusername failure")) - send_msg_userauth_failure(0, 1); - goto out; + /* check username is good before continuing. + * the 'incrfail' varies depending on the auth method to + * avoid giving away which users exist on the system through + * the time delay. */ + if (checkusername(username, userlen) == DROPBEAR_SUCCESS) { + valid_user = 1; } /* user wants to know what methods are supported */ @@ -154,7 +154,8 @@ void recv_msg_userauth_request() { strncmp(methodname, AUTH_METHOD_NONE, AUTH_METHOD_NONE_LEN) == 0) { TRACE(("recv_msg_userauth_request: 'none' request")) - if (svr_opts.allowblankpass + if (valid_user + && svr_opts.allowblankpass && !svr_opts.noauthpass && !(svr_opts.norootpass && ses.authstate.pw_uid == 0) && ses.authstate.pw_passwd[0] == '\0') @@ -168,6 +169,7 @@ void recv_msg_userauth_request() { } else { + /* 'none' has no failure delay */ send_msg_userauth_failure(0, 0); goto out; } @@ -180,8 +182,10 @@ void recv_msg_userauth_request() { if (methodlen == AUTH_METHOD_PASSWORD_LEN && strncmp(methodname, AUTH_METHOD_PASSWORD, AUTH_METHOD_PASSWORD_LEN) == 0) { - svr_auth_password(); - goto out; + if (valid_user) { + svr_auth_password(); + goto out; + } } } #endif @@ -193,8 +197,10 @@ void recv_msg_userauth_request() { if (methodlen == AUTH_METHOD_PASSWORD_LEN && strncmp(methodname, AUTH_METHOD_PASSWORD, AUTH_METHOD_PASSWORD_LEN) == 0) { - svr_auth_pam(); - goto out; + if (valid_user) { + svr_auth_pam(); + goto out; + } } } #endif @@ -204,12 +210,17 @@ void recv_msg_userauth_request() { if (methodlen == AUTH_METHOD_PUBKEY_LEN && strncmp(methodname, AUTH_METHOD_PUBKEY, AUTH_METHOD_PUBKEY_LEN) == 0) { - svr_auth_pubkey(); + if (valid_user) { + svr_auth_pubkey(); + } else { + /* pubkey has no failure delay */ + send_msg_userauth_failure(0, 0); + } goto out; } #endif - /* nothing matched, we just fail */ + /* nothing matched, we just fail with a delay */ send_msg_userauth_failure(0, 1); out: @@ -252,7 +263,6 @@ static int checkusername(unsigned char *username, unsigned int userlen) { dropbear_log(LOG_WARNING, "Login attempt for nonexistent user from %s", svr_ses.addrstring); - send_msg_userauth_failure(0, 1); return DROPBEAR_FAILURE; } @@ -264,7 +274,6 @@ static int checkusername(unsigned char *username, unsigned int userlen) { "Login attempt with wrong user %s from %s", ses.authstate.pw_name, svr_ses.addrstring); - send_msg_userauth_failure(0, 1); return DROPBEAR_FAILURE; } @@ -272,7 +281,6 @@ static int checkusername(unsigned char *username, unsigned int userlen) { if (svr_opts.norootlogin && ses.authstate.pw_uid == 0) { TRACE(("leave checkusername: root login disabled")) dropbear_log(LOG_WARNING, "root login rejected"); - send_msg_userauth_failure(0, 1); return DROPBEAR_FAILURE; } @@ -301,7 +309,6 @@ static int checkusername(unsigned char *username, unsigned int userlen) { TRACE(("no matching shell")) dropbear_log(LOG_WARNING, "User '%s' has invalid shell, rejected", ses.authstate.pw_name); - send_msg_userauth_failure(0, 1); return DROPBEAR_FAILURE; goodshell: @@ -311,7 +318,6 @@ goodshell: TRACE(("uid = %d", ses.authstate.pw_uid)) TRACE(("leave checkusername")) return DROPBEAR_SUCCESS; - } /* Send a failure message to the client, in responds to a userauth_request. @@ -358,8 +364,8 @@ void send_msg_userauth_failure(int partial, int incrfail) { if (incrfail) { unsigned int delay; genrandom((unsigned char*)&delay, sizeof(delay)); - /* We delay for 300ms +- 50ms, 0.1ms granularity */ - delay = 250000 + (delay % 1000)*100; + /* We delay for 300ms +- 50ms */ + delay = 250000 + (delay % 100000); usleep(delay); ses.authstate.failcount++; } -- cgit v1.2.3