Dear colleagues, I have a question about this commit: https://github.com/openssh/openssh-portable/commit/e9d910b0289c820852f7afa67f584cef1c05fe95#diff-a25e40214ca9c9f78abce22f23bf2abdb2a24384c6610d60bbb314aed534eb48R216 The function ensure_minimum_time_since effectively doubles the time spent in the input_userauth_request (mostly presumably in PAM). So if PAM processing is really slow, it will cause huge delays - but if it is so slow, it's more difficult to perform the enumeration attack. So doesn't it make sense to provide an upper limit here and if really spent time is more than this upper limit, to avoid extra sleep? Will it be still necessary to protect from the attack? Vice versa, when the auth failure happens fast enough, the doubling will not significantly slow down the enumerations... Any comments will be highly appreciated! -- Dmitry Belyavskiy _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
