Dear Peter, https://bugzilla.mindrot.org/show_bug.cgi?id=3602 is the patch I propose to fix this issue. It removes the delay for "none" auth method (which is dummy and doesn't provide any information) and provides an (arbitrary) limit of delay. On Wed, Jun 28, 2023 at 2:11 PM Dmitry Belyavskiy <dbelyavs@xxxxxxxxxx> wrote: > > Dear Peter, > > I'm trying to balance the original problem statement (protection from > users enumeration) and avoid doubling time here if the process has > already taken a long time to provide faster auth method iteration. > I believe that a better solution is to set some arbitrary (probably > configurable) timeout and, in case when we spend more time than that > value, avoid doubling it. > > On Wed, Jun 28, 2023 at 2:04 PM Peter Stuge <peter@xxxxxxxx> wrote: > > > > Dmitry Belyavskiy wrote: > > > May I ask you to explain whether I am wrong in my conclusions? > > > > I guess it's not clear what problem you are trying to solve. > > > > > > //Peter > > _______________________________________________ > > openssh-unix-dev mailing list > > openssh-unix-dev@xxxxxxxxxxx > > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > > > > > -- > Dmitry Belyavskiy -- Dmitry Belyavskiy _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
