Re: RFC 8305 Happy Eyeballs in OpenSSH

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Wed, 28 Feb 2018, Peter Stuge wrote:

> Wolfgang S Rupprecht wrote:
> > Simplest would be to never abort the extra happy eyeballs before
> > actually logging in or the normal ssh connection timeout.
> 
> 1. What do dualstack browsers do when the second connection opens?
> 
> 2. ssh could complete authentication on the second connection and
> then immediately close the connection - but this would trigger many
> side effects on the server, and be a nuisance at the very least;
> consider when a server requires token interaction to login, and
> having a sliding window with some limited number of logins per day.
> 
> I personally don't really want the client to open multiple
> connections when I only specicy one server.

IMO opening multiple connection (maybe mediated by a knob) is fine,
so long as we do one connection first and stagger subsequent ones with
a brief delay.

Anti-authentication brute force scripts should probably look for actual
auth attempts rather than connections; those are well-mitigated by
MaxStartups already...

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux