-/* $OpenBSD: servconf.c,v 1.415 2024/09/15 01:09:40 djm Exp $ */
+/* $OpenBSD: servconf.c,v 1.416 2024/09/15 01:11:26 djm Exp $ */
/*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
options->per_source_penalty.penalty_authfail = -1;
options->per_source_penalty.penalty_noauth = -1;
options->per_source_penalty.penalty_grace = -1;
+ options->per_source_penalty.penalty_refuseconnection = -1;
options->per_source_penalty.penalty_max = -1;
options->per_source_penalty.penalty_min = -1;
options->max_authtries = -1;
options->per_source_penalty.penalty_authfail = 5;
if (options->per_source_penalty.penalty_noauth == -1)
options->per_source_penalty.penalty_noauth = 1;
+ if (options->per_source_penalty.penalty_refuseconnection == -1)
+ options->per_source_penalty.penalty_refuseconnection = 10;
if (options->per_source_penalty.penalty_min == -1)
options->per_source_penalty.penalty_min = 15;
if (options->per_source_penalty.penalty_max == -1)
} else if (strncmp(arg, "grace-exceeded:", 15) == 0) {
p = arg + 15;
intptr = &options->per_source_penalty.penalty_grace;
+ } else if (strncmp(arg, "refuseconnection:", 17) == 0) {
+ p = arg + 17;
+ intptr = &options->per_source_penalty.penalty_refuseconnection;
} else if (strncmp(arg, "max:", 4) == 0) {
p = arg + 4;
intptr = &options->per_source_penalty.penalty_max;
if (o->per_source_penalty.enabled) {
printf("persourcepenalties crash:%d authfail:%d noauth:%d "
- "grace-exceeded:%d max:%d min:%d max-sources4:%d "
- "max-sources6:%d overflow:%s overflow6:%s\n",
+ "grace-exceeded:%d refuseconnection: %d max:%d min:%d "
+ "max-sources4:%d max-sources6:%d "
+ "overflow:%s overflow6:%s\n",
o->per_source_penalty.penalty_crash,
o->per_source_penalty.penalty_authfail,
o->per_source_penalty.penalty_noauth,
o->per_source_penalty.penalty_grace,
+ o->per_source_penalty.penalty_refuseconnection,
o->per_source_penalty.penalty_max,
o->per_source_penalty.penalty_min,
o->per_source_penalty.max_sources4,
-/* $OpenBSD: servconf.h,v 1.166 2024/09/15 01:09:40 djm Exp $ */
+/* $OpenBSD: servconf.h,v 1.167 2024/09/15 01:11:26 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
int penalty_grace;
int penalty_authfail;
int penalty_noauth;
+ int penalty_refuseconnection;
int penalty_max;
int penalty_min;
};
penalty_secs = penalty_cfg.penalty_noauth;
reason = "penalty: connections without attempting authentication";
break;
+ case SRCLIMIT_PENALTY_REFUSECONNECTION:
+ penalty_secs = penalty_cfg.penalty_refuseconnection;
+ reason = "penalty: connection prohibited by RefuseConnection";
+ break;
case SRCLIMIT_PENALTY_GRACE_EXCEEDED:
penalty_secs = penalty_cfg.penalty_crash;
reason = "penalty: exceeded LoginGraceTime";
int srclimit_check_allow(int, int);
void srclimit_done(int);
-#define SRCLIMIT_PENALTY_NONE 0
-#define SRCLIMIT_PENALTY_CRASH 1
-#define SRCLIMIT_PENALTY_AUTHFAIL 2
-#define SRCLIMIT_PENALTY_GRACE_EXCEEDED 3
-#define SRCLIMIT_PENALTY_NOAUTH 4
+#define SRCLIMIT_PENALTY_NONE 0
+#define SRCLIMIT_PENALTY_CRASH 1
+#define SRCLIMIT_PENALTY_AUTHFAIL 2
+#define SRCLIMIT_PENALTY_GRACE_EXCEEDED 3
+#define SRCLIMIT_PENALTY_NOAUTH 4
+#define SRCLIMIT_PENALTY_REFUSECONNECTION 5
/* meaningful exit values, used by sshd listener for penalties */
#define EXIT_LOGIN_GRACE 3 /* login grace period exceeded */
-/* $OpenBSD: sshd.c,v 1.611 2024/09/12 00:36:27 djm Exp $ */
+/* $OpenBSD: sshd.c,v 1.612 2024/09/15 01:11:26 djm Exp $ */
/*
* Copyright (c) 2000, 2001, 2002 Markus Friedl. All rights reserved.
* Copyright (c) 2002 Niels Provos. All rights reserved.
(long)child->pid, child->id,
child->early ? " (early)" : "");
break;
+ case EXIT_CONFIG_REFUSED:
+ penalty_type = SRCLIMIT_PENALTY_REFUSECONNECTION;
+ debug_f("preauth child %ld for %s prohibited by"
+ "RefuseConnection %s",
+ (long)child->pid, child->id,
+ child->early ? " (early)" : "");
+ break;
default:
penalty_type = SRCLIMIT_PENALTY_NOAUTH;
debug_f("preauth child %ld for %s exited "
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd_config.5,v 1.371 2024/09/15 01:09:40 djm Exp $
+.\" $OpenBSD: sshd_config.5,v 1.372 2024/09/15 01:11:26 djm Exp $
.Dd $Mdocdate: September 15 2024 $
.Dt SSHD_CONFIG 5
.Os
.It Cm authfail:duration
Specifies how long to refuse clients that disconnect after making one or more
unsuccessful authentication attempts (default: 5s).
+.It Cm refuseconnection:duration
+Specified how long to refuse clients that were administratively prohibited
+connection via the
+.Cm RefuseConnection
+option (default: 10s).
.It Cm noauth:duration
Specifies how long to refuse clients that disconnect without attempting
authentication (default: 1s).
Indicates that
.Xr sshd 8
should unconditionally terminate the connection.
+Additionally, a
+.Cm refuseconnection
+penalty may be recorded against the source of the connection of
+.Cm PerSourcePenalties
+are enabled.
This option is only really useful in a
.Cm Match
block.