Feature request: FAIL_DELAY-support for sshd

Darren Tucker dtucker at zip.com.au
Thu Feb 3 14:02:23 EST 2005


Bjoern Voigt wrote:
> It's possible to insert "sleep(seconds)" here to slow down the
> connection a bit. But this also slows down "good" connections.

You could put a sleep next to the record_failed_login call in auth.c 
(outside the ifdef), or even implement your own record_failed_login() 
that delays before returning.

> No really sure, because I haven't fully understand the authentication
> code. There are filenames like auth.c, auth1.c, auth2.c. Also, my
> debugger (gdb-6.2) seems to have some problems with OpenSSH. I compiled
> with "CFLAGS=-g ./configure --enable-debug ...) and I debug with "sshd
> -p XXX -dDD" but gdb does not find my breakpoints.

If you're trying to probe sshd with a debugger then add "-o 
UsePrivilegeSeparation=no -r" to the command line (but be aware that it 
will behave similarly but not exactly the same as normal operation).

> Anyway, with debugging messages inserted, I think, that
> pam_authenticate() will be called only for existing users
> (allowed_user()-check).

That should not be the case.  If you can show a situation where the 
current version does behave differently then let us know and we'll try 
to fix it.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.




More information about the openssh-unix-dev mailing list