sshd exponential backoff patch

Robert Banz rob at
Sat Jan 24 03:32:20 EST 2009

Hey Sam,

This is a really nice idea. However, I'm not so hot on making a core  
utility such as OpenSSH reliant on a library that isn't by default  
available on most platforms.


On Jan 23, 2009, at 1:05 AM, Sam Watkins wrote:

> hi,
> I wrote a patch to openssh sshd.c which enables "exponential backoff",
> so that an attacker cannot brute force your password by making  
> hundreds
> of login attempts.
> here is the code:
> An attacker who fails to login is locked out (by IP address) for 1
> minute, and the lockout period doubles for each failed login after  
> that.
> Normally three logins are allowed before an ssh connection is
> terminated.
> This patch is "beta" software and might lock you out of your sshd,  
> so be
> careful and make sure you are prepared for that.
> You can "test" the patch by attempting to break in to this server,
> ssh is running on port 22
> The patch creates and uses a db-4 database in /var/lib/ssh/backoff.db
> I think my code is written carefully, but it might have some bugs.  
> Also
> I think this problem might be better solved outside of sshd (maybe in
> pam). I'd be very grateful for any constructive feedback.
> Thanks!
> Sam
> ( I wrote a similar hack in shell-script a while ago, to prevent
> pppd running up a huge phone bill in that case that a dialup
> connection fails. )
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at

More information about the openssh-unix-dev mailing list