[Bug 3602] New: Limit artificial delay to some reasonable limit

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Wed Aug 16 20:13:37 AEST 2023


            Bug ID: 3602
           Summary: Limit artificial delay to some reasonable limit
           Product: Portable OpenSSH
           Version: 9.4p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: dbelyavs at redhat.com

Created attachment 3717
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3717&action=edit
A proposed patch

introduced a randomized delay to avoid user enumeration timing attack. 

Unfortunately, in case of bad network it effectively doubles the time
spent in the input_userauth_request (mostly presumably in PAM). So if
PAM processing is really slow, it will cause huge delays - but if it
is so slow, it's more difficult to perform the enumeration attack.

The proposed patch removes the delay in case of "none" auth method as
it is a dummy method and no information can be obtained from the delay
and establishes a reasonable threshold to limit the delay.

The patch is also available as

You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list