[Bug 3602] New: Limit artificial delay to some reasonable limit

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Wed Aug 16 20:13:37 AEST 2023


https://bugzilla.mindrot.org/show_bug.cgi?id=3602

            Bug ID: 3602
           Summary: Limit artificial delay to some reasonable limit
           Product: Portable OpenSSH
           Version: 9.4p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: dbelyavs at redhat.com

Created attachment 3717
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3717&action=edit
A proposed patch

Commit
https://github.com/beldmit/openssh-portable/commit/e9d910b0289c820852f7afa67f584cef1c05fe95
introduced a randomized delay to avoid user enumeration timing attack. 

Unfortunately, in case of bad network it effectively doubles the time
spent in the input_userauth_request (mostly presumably in PAM). So if
PAM processing is really slow, it will cause huge delays - but if it
is so slow, it's more difficult to perform the enumeration attack.

The proposed patch removes the delay in case of "none" auth method as
it is a dummy method and no information can be obtained from the delay
and establishes a reasonable threshold to limit the delay.

The patch is also available as
https://github.com/openssh/openssh-portable/pull/429

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list