On Wed, 2020-03-11 at 21:39 +0100, Thomas Koeller wrote: > an external program will be invoked every time a session > is > terminated without the requesting client being authenticated. IMO, the idea itself sounds not the best... one must assume that such invoked programs are not written "safe"... and thus an attacker could potentially cause the system to run such programs a huge number of times. Maybe they take a while to finish (or in error case: do not finish a all) thus causing DoS. Not to talk about further complex scenarios where such invocation might be used for analysis or other forms of attacks. Cheers, Chris. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
