CVSROOT: /cvs
Module name: src
Changes by: [email protected] 2025/12/29 17:22:58
Modified files:
usr.bin/ssh : packet.c
Log message:
Enforce maximum packet/block limit during pre-authentication phase
OpenSSH doesn't support rekeying before authentication completes to
minimise pre-auth attack surface.
Given LoginGraceTime, MaxAuthTries and strict KEX, it would be
difficult to send enough data or packets before authentication
completes to reach a point where rekeying is required, but we'd
prefer it to be completely impossible.
So this applies the default volume/packet rekeying limits to the
pre-auth phase. If these limits are exceeded the connection will
simply be closed.
ok dtucker markus
