[Bug 3771] Will future versions of openssh provide DDoS attack defense for the DH algorithm?:CVE-2024-41996
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Thu Jan 2 14:07:07 AEDT 2025
https://bugzilla.mindrot.org/show_bug.cgi?id=3771
Darren Tucker <dtucker at dtucker.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |dtucker at dtucker.net
--- Comment #1 from Darren Tucker <dtucker at dtucker.net> ---
The "noauth" penalty class in PerSourcePenalties should cover this
class of behaviour:
https://man.openbsd.org/sshd_config.5#PerSourcePenalties
The default penalty is 1 second, but you can increase it as desired.
PerSourcePenalties was introduced in OpenSSH 9.8.
Note that the Diffie-Helman algorithms have also been removed from the
default algorithm set in the development tree:
https://github.com/openssh/openssh-portable/commit/0051381a8c33740a77a1eca6859efa1c78887d80
This change has not yet made it into a released version, but will be in
the next major (ie 10.0) release.
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list