Feature request: FAIL_DELAY-support for sshd
Darren Tucker
dtucker at zip.com.au
Sat Feb 5 11:08:33 EST 2005
Bjoern Voigt wrote:
> Yes, but it's possible to test the existance of pam_fail_delay() in PAM
> with "#ifdef HAVE_PAM_FAIL_DELAY" (source:
> /usr/include/security/_pam_types.h in Linux-PAM).
Sure, that's possible.
That said, if you want to change the fail-on-delay policy for PAM then
you should do it via a PAM module. Putting policy decisions like this
in the hands of admins rather than application developers is what PAM is
for, and PAM modules is how PAM implements policy.
[...]
> One small problem remains: I get the delays only with
> ChallengeResponseAuthentication, not with PasswordAuthentication. I
> wonder a bit about this.
Depending on where you put your pam_fail_delay() it may not be in the
path for PasswordAuthentication: remember, there's *two*
pam_authenticate() calls. Try moving it to immediately after the
pam_start(), that'll be in the path for both.
[...]
> Do you have the whole patch for your ChangeLog-entry? I already looked
> in www.openssh.org's CVS archive, but there is only OpenBSD's ssh source
> in CVS.
Portable's cvsweb is here:
http://cvsweb.mindrot.org/index.cgi/openssh/
> Probably I also need some changes in other files, not only in
> pam-auth.c?
The whole patch for that changelog entry contained only auth-pam.c, but
if you're backporting to 3.9p1 then you'll also need the attached patch
for full effect.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: openssh-kbdint-noleak.patch
Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20050205/e5a0e0a1/attachment.ksh
More information about the openssh-unix-dev
mailing list