I thought this was already addressed with the internal blowfish hash of "$2a$06$r3.juUaHZDlIbQaO2dS9FuYxL1W9M81R1Tc92PoSNmzvpEqLkLGrK" to where all passwords were checked against this to prevent timing analysis for user enumeration. On 20 July 2016 at 19:45, Darren Tucker <dtucker@xxxxxxxxxx> wrote: > On Tue, Jul 19, 2016 at 11:10 PM, C0r3dump3d <coredump@xxxxxxxxxxxxx> > wrote: > > Hi, sorry I don't know if I send this to the correct channel. > > It is. > > [..] > > it's possible in certain circumstances to provoke a DOS > > condition in the access to the ssh server. > > We have been discussing this a bit, and what we have just added is a > simple hard limit on the allowed size of a password string at 1k, > above which the password is immediately refused. There's other > possible embellishments (eg, add a possibly variable delay) but we > haven't decided on any yet. > > Thanks. > > -- > Darren Tucker (dtucker at zip.com.au) > GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev@xxxxxxxxxxx > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
