https://bugzilla.mindrot.org/show_bug.cgi?id=3602
Bug ID: 3602
Summary: Limit artificial delay to some reasonable limit
Product: Portable OpenSSH
Version: 9.4p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: sshd
Assignee: unassigned-bugs@mindrot.org
Reporter: dbelyavs@redhat.com
Created attachment 3717
--> https://bugzilla.mindrot.org/attachment.cgi?id=3717&action=edit
A proposed patch
Commit
https://github.com/beldmit/openssh-portable/commit/e9d910b0289c820852f7afa67f584cef1c05fe95
introduced a randomized delay to avoid user enumeration timing attack.
Unfortunately, in case of bad network it effectively doubles the time
spent in the input_userauth_request (mostly presumably in PAM). So if
PAM processing is really slow, it will cause huge delays - but if it
is so slow, it's more difficult to perform the enumeration attack.
The proposed patch removes the delay in case of "none" auth method as
it is a dummy method and no information can be obtained from the delay
and establishes a reasonable threshold to limit the delay.
The patch is also available as
https://github.com/openssh/openssh-portable/pull/429
--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
Bug ID: 3602
Summary: Limit artificial delay to some reasonable limit
Product: Portable OpenSSH
Version: 9.4p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: sshd
Assignee: unassigned-bugs@mindrot.org
Reporter: dbelyavs@redhat.com
Created attachment 3717
--> https://bugzilla.mindrot.org/attachment.cgi?id=3717&action=edit
A proposed patch
Commit
https://github.com/beldmit/openssh-portable/commit/e9d910b0289c820852f7afa67f584cef1c05fe95
introduced a randomized delay to avoid user enumeration timing attack.
Unfortunately, in case of bad network it effectively doubles the time
spent in the input_userauth_request (mostly presumably in PAM). So if
PAM processing is really slow, it will cause huge delays - but if it
is so slow, it's more difficult to perform the enumeration attack.
The proposed patch removes the delay in case of "none" auth method as
it is a dummy method and no information can be obtained from the delay
and establishes a reasonable threshold to limit the delay.
The patch is also available as
https://github.com/openssh/openssh-portable/pull/429
--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs