So what if this was done as a PAM module? That would :
a) reduce the code that the openssh dev team needs to maintain as it
doesn't really touch ssh at all
b) reduces code complexity, path breaking, etc.
c) is self contained and optional for those that really want it.
On 10/18/23 4:03 PM, Robinson, Herbie wrote:
I only mentioned this, because if the plugin chose to implement a long sleep, it could break other things in ssh (depending on where it is inserted). If the plugin returns that it would like a certain delay, than SSH can implement the delay and adjust any relevant timeouts. The alternative would be to document whether or not the plug-in is allowed to sleep.
From: openssh-unix-dev <openssh-unix-dev-bounces+herbie.robinson=stratus.com@xxxxxxxxxxx> On Behalf Of Thomas Köller
Sent: Wednesday, October 18, 2023 3:00 PM
To: openssh-unix-dev@xxxxxxxxxxx
Subject: Re: [EXTERNAL] Re: ssh wish list?
[EXTERNAL SENDER: This email originated from outside of Stratus Technologies. Do not click links or open attachments unless you recognize the sender and know the content is safe.]
Am 18.10.23 um 20:37 schrieb Robinson, Herbie:
If one does add such a plugin, it should be in a place where it can delay for an exponentially increasing time (or return a delay time to SSH). You don’t want to just reject the login, because they might keep hammering you.
The patch I proposed just invokes an external program on every failed
login attempt detected. I does not implement any policy. And if the
offending host is blocked, by modifying firewall rules or similar, there
could be no hammering.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
