|
1 | | -/* $OpenBSD: sshd.c,v 1.608 2024/06/26 23:47:46 djm Exp $ */ |
| 1 | +/* $OpenBSD: sshd.c,v 1.609 2024/06/27 23:01:15 djm Exp $ */ |
2 | 2 | /* |
3 | 3 | * Copyright (c) 2000, 2001, 2002 Markus Friedl. All rights reserved. |
4 | 4 | * Copyright (c) 2002 Niels Provos. All rights reserved. |
@@ -390,25 +390,7 @@ child_reap(struct early_child *child) |
390 | 390 | break; |
391 | 391 | } |
392 | 392 | } |
393 | | - /* |
394 | | - * XXX would be nice to have more subtlety here. |
395 | | - * - Different penalties |
396 | | - * a) authentication failures without success (e.g. brute force) |
397 | | - * b) login grace exceeded (penalise DoS) |
398 | | - * c) monitor crash (penalise exploit attempt) |
399 | | - * d) unpriv preauth crash (penalise exploit attempt) |
400 | | - * - Unpriv auth exit status/WIFSIGNALLED is not available because |
401 | | - * the "mm_request_receive: monitor fd closed" fatal kills the |
402 | | - * monitor before waitpid() can occur. It would be good to use the |
403 | | - * unpriv exit status to detect crashes. |
404 | | - * |
405 | | - * For now, just penalise (a), (b) and (c), since that is what we have |
406 | | - * readily available. The authentication failures detection cannot |
407 | | - * discern between failed authentication and other connection problems |
408 | | - * until we have the unpriv exist status plumbed through (and the unpriv |
409 | | - * child modified to use a different exit status when auth has been |
410 | | - * attempted), but it's a start. |
411 | | - */ |
| 393 | + |
412 | 394 | if (child->have_addr) |
413 | 395 | srclimit_penalise(&child->addr, penalty_type); |
414 | 396 |
|
|
0 commit comments