I only mentioned this, because if the plugin chose to implement a long sleep, it could break other things in ssh (depending on where it is inserted). If the plugin returns that it would like a certain delay, than SSH can implement the delay and adjust any relevant timeouts. The alternative would be to document whether or not the plug-in is allowed to sleep. From: openssh-unix-dev <openssh-unix-dev-bounces+herbie.robinson=stratus.com@xxxxxxxxxxx> On Behalf Of Thomas Köller Sent: Wednesday, October 18, 2023 3:00 PM To: openssh-unix-dev@xxxxxxxxxxx Subject: Re: [EXTERNAL] Re: ssh wish list? [EXTERNAL SENDER: This email originated from outside of Stratus Technologies. Do not click links or open attachments unless you recognize the sender and know the content is safe.] Am 18.10.23 um 20:37 schrieb Robinson, Herbie: > If one does add such a plugin, it should be in a place where it can delay for an exponentially increasing time (or return a delay time to SSH). You don’t want to just reject the login, because they might keep hammering you. The patch I proposed just invokes an external program on every failed login attempt detected. I does not implement any policy. And if the offending host is blocked, by modifying firewall rules or similar, there could be no hammering. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
