From 121654a5c9f08c27868fd1db8a5f147e424af3b3 Mon Sep 17 00:00:00 2001
From: djm <djm@openbsd.org>
Date: Wed, 16 Aug 2023 16:14:11 +0000
Subject: [PATCH] defence-in-depth MaxAuthTries check in monitor; ok markus

---
 usr.bin/ssh/monitor.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/usr.bin/ssh/monitor.c b/usr.bin/ssh/monitor.c
index ca1d34eb5bf..8746a8e2cf8 100644
--- a/usr.bin/ssh/monitor.c
+++ b/usr.bin/ssh/monitor.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor.c,v 1.236 2023/05/10 10:04:20 dtucker Exp $ */
+/* $OpenBSD: monitor.c,v 1.237 2023/08/16 16:14:11 djm Exp $ */
 /*
  * Copyright 2002 Niels Provos <provos@citi.umich.edu>
  * Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -279,6 +279,11 @@ monitor_child_preauth(struct ssh *ssh, struct monitor *pmonitor)
 				    auth_method, auth_submethod);
 			}
 		}
+		if (authctxt->failures > options.max_authtries) {
+			/* Shouldn't happen */
+			fatal_f("privsep child made too many authentication "
+			    "attempts");
+		}
 	}
 
 	if (!authctxt->valid)
-- 
2.20.1