Openssh use enumeration

Darren Tucker dtucker at
Thu Jul 21 11:45:38 AEST 2016

On Tue, Jul 19, 2016 at 11:10 PM, C0r3dump3d <coredump at> wrote:
> Hi, sorry I don't know if I send this to the correct channel.

It is.

> it's possible in certain circumstances to provoke a DOS
> condition in the access to the ssh server.

We have been discussing this a bit, and what we have just added is a
simple hard limit on the allowed size of a password string at 1k,
above which the password is immediately refused.  There's other
possible embellishments (eg, add a possibly variable delay) but we
haven't decided on any yet.


Darren Tucker (dtucker at
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list