defence-in-depth MaxAuthTries check in monitor; ok markus

diff --git a/usr.bin/ssh/monitor.c b/usr.bin/ssh/monitor.c
index ca1d34e..8746a8e 100644 (file)
--- a/usr.bin/ssh/monitor.c
+++ b/usr.bin/ssh/monitor.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor.c,v 1.236 2023/05/10 10:04:20 dtucker Exp $ */
+/* $OpenBSD: monitor.c,v 1.237 2023/08/16 16:14:11 djm Exp $ */
 /*
  * Copyright 2002 Niels Provos <provos@citi.umich.edu>
  * Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -279,6 +279,11 @@ monitor_child_preauth(struct ssh *ssh, struct monitor *pmonitor)
                                    auth_method, auth_submethod);
                        }
                }
+               if (authctxt->failures > options.max_authtries) {
+                       /* Shouldn't happen */
+                       fatal_f("privsep child made too many authentication "
+                           "attempts");
+               }
        }
 
        if (!authctxt->valid)