https://bugzilla.mindrot.org/show_bug.cgi?id=3602
Bug ID: 3602 Summary: Limit artificial delay to some reasonable limit Product: Portable OpenSSH Version: 9.4p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: sshd Assignee: unassigned-b...@mindrot.org Reporter: dbely...@redhat.com Created attachment 3717 --> https://bugzilla.mindrot.org/attachment.cgi?id=3717&action=edit A proposed patch Commit https://github.com/beldmit/openssh-portable/commit/e9d910b0289c820852f7afa67f584cef1c05fe95 introduced a randomized delay to avoid user enumeration timing attack. Unfortunately, in case of bad network it effectively doubles the time spent in the input_userauth_request (mostly presumably in PAM). So if PAM processing is really slow, it will cause huge delays - but if it is so slow, it's more difficult to perform the enumeration attack. The proposed patch removes the delay in case of "none" auth method as it is a dummy method and no information can be obtained from the delay and establishes a reasonable threshold to limit the delay. The patch is also available as https://github.com/openssh/openssh-portable/pull/429 -- You are receiving this mail because: You are watching the assignee of the bug. _______________________________________________ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs