sshd exponential backoff patch

Sam Watkins swatkins at fastmail.fm
Tue Jan 27 07:55:17 EST 2009 

On Mon, 26 Jan 2009 09:32 -0700, "Bob Proulx" <bob at proulx.com> wrote:
> I read "hundreds of login attempts" in order to brute force a
> password.  But it actually takes orders of magnitudes more to brute
> force attack a password.

Yes, I said "hundreds" because that is how many failed attempts you
cannot possibly make. 2^100 * [inital lockout time] is a large time to
wait. Actually you cannot make more than about 29 before you would die
of old age. I've changed the initial lockout time to 5 seconds, I found
1 minute was too annoying.

> I think it would be an interesting whitehat project to build an attack
> program against ssh using a password guesser.  Then people who fear
> that ssh passwords can be guessed too easily can play with it and be
> assured that a successful brute force attack against ssh by password
> guessing is actually quite difficult.

It's difficult to crack only if people have good passwords, and if the
attacker does not have a clue to what your passwords might be. In
reality a lot of people have weak passwords, and sysadmins have little
control over their users' passwords, or don't bother to enforce strong
passwords.

In the case of a weak password it should be fairly easy for a powerful
cracking program to crack the account within a few days, if sshd does
not limit the number of attempts.

Exponential backoff reduces the need for strong passwords. Suddenly
"cat3" is a strong enough password. I think reducing the need for strong
passwords is a good thing, as most people don't use strong passwords at
all, and even many computer experts use weak passwords for accounts they
consider unimportant. It would actually be more secure if a person would
use a handful of weak passwords (with limited login attempts) than to
use the same couple of strong passwords across multiple systems.

> A disadvantage of your patch is that I think exponential backoff
> creates too long of delays.  A non-exponential backoff seems more
> desirable to me than an exponential backoff.

You could patch the patch to do what you want, that would be a trivial
change. With NAT we can have multiple users behind a single IP address,
so in that case we would not want to lock out a legitimate user for a
long period. Such legitimate users with crippled Internet access might
consider using key-based auth or another access method.

I don't seriously expect Theo or anyone else to accept my patch into
standard openssh, but I do think it is a useful feature, and I will
continue to use it myself. I will use the same technique in other
authentication systems that I might write, e.g. webapps. Perhaps if the
patch were tidied up and configuration options added to control it, it
might be more acceptable.

Sam

More information about the openssh-unix-dev mailing list