Use MAX_AUTH_TRIES rather than DEFAULT_AUTH_TRIES, don't limit argument range

default_options.h

@@ -380,17 +380,12 @@ Homedir is prepended unless path begins with / */
 #define MAX_UNAUTH_CLIENTS 30
 #endif
 
-/* Maximum number of failed authentication tries (server option) */
+/* Default maximum number of failed authentication tries (server option) */
+/* -T runtime option overrides */
 #ifndef MAX_AUTH_TRIES
 #define MAX_AUTH_TRIES 10
 #endif
 
-/* Default maximum number of failed authentication tries.
- * defaults to MAX_AUTH_TRIES */
-#ifndef DEFAULT_AUTH_TRIES
-#define DEFAULT_AUTH_TRIES MAX_AUTH_TRIES
-#endif
-
 /* The default file to store the daemon's process ID, for shutdown
    scripts etc. This can be overridden with the -P flag */
 #ifndef DROPBEAR_PIDFILE

default_options.h.in

@@ -258,13 +258,10 @@ Homedir is prepended unless path begins with / */
  * come from many IPs */
 #define MAX_UNAUTH_CLIENTS 30
 
-/* Maximum number of failed authentication tries (server option) */
+/* Default maximum number of failed authentication tries (server option) */
+/* -T server option overrides */
 #define MAX_AUTH_TRIES 10
 
-/* Default maximum number of failed authentication tries.
- * defaults to MAX_AUTH_TRIES */
-#define DEFAULT_AUTH_TRIES MAX_AUTH_TRIES
-
 /* The default file to store the daemon's process ID, for shutdown
    scripts etc. This can be overridden with the -P flag */
 #define DROPBEAR_PIDFILE "/var/run/dropbear.pid"

dropbear.8

@@ -92,7 +92,7 @@ if 0 disables keepalives. If no response is received for 3 consecutive keepalive
 Disconnect the session if no traffic is transmitted or received for \fIidle_timeout\fR seconds.
 .TP
 .B \-T \fImax_authentication_attempts
-Disconnect the session if number of authentication attempts is exceeded. default is set at compile time to DEFAULT_AUTH_TRIES which itself defaults to MAX_AUTH_TRIES (10)
+Set the number of authentication attempts allowed per connection. If unspecified the default is 10 (MAX_AUTH_TRIES)
 .TP
 .B \-c \fIforced_command
 Disregard the command provided by the user and always run \fIforced_command\fR. This also

svr-runopts.c

@@ -73,7 +73,7 @@ static void printhelp(const char * progname) {
 					"-g		Disable password logins for root\n"
 					"-B		Allow blank password logins\n"
 #endif
-					"-T <1 to %d> 	Maximum authentication tries (default %d)\n"
+					"-T		Maximum authentication tries (default %d)\n"
 #if DROPBEAR_SVR_LOCALTCPFWD
 					"-j		Disable local port forwarding\n"
 #endif
@@ -108,7 +108,7 @@ static void printhelp(const char * progname) {
 #if DROPBEAR_ECDSA
 					ECDSA_PRIV_FILENAME,
 #endif
-					MAX_AUTH_TRIES, DEFAULT_AUTH_TRIES,
+					MAX_AUTH_TRIES,
 					DROPBEAR_MAX_PORTS, DROPBEAR_DEFPORT, DROPBEAR_PIDFILE,
 					DEFAULT_RECV_WINDOW, DEFAULT_KEEPALIVE, DEFAULT_IDLE_TIMEOUT);
 }
@@ -135,7 +135,7 @@ void svr_getopts(int argc, char ** argv) {
 	svr_opts.noauthpass = 0;
 	svr_opts.norootpass = 0;
 	svr_opts.allowblankpass = 0;
-	svr_opts.maxauthtries = DEFAULT_AUTH_TRIES;
+	svr_opts.maxauthtries = MAX_AUTH_TRIES;
 	svr_opts.inetdmode = 0;
 	svr_opts.portcount = 0;
 	svr_opts.hostkey = NULL;
@@ -341,8 +341,8 @@ void svr_getopts(int argc, char ** argv) {
 
 	if (maxauthtries_arg) {
 		unsigned int val = 0;
-		if (m_str_to_uint(maxauthtries_arg, &val) == DROPBEAR_FAILURE ||
+		if (m_str_to_uint(maxauthtries_arg, &val) == DROPBEAR_FAILURE 
-			val == 0 || val > MAX_AUTH_TRIES) {
+			|| val == 0) {
 			dropbear_exit("Bad maxauthtries '%s'", maxauthtries_arg);
 		}
 		svr_opts.maxauthtries = val;