Openssh use enumeration

Darren Tucker dtucker at zip.com.au
Thu Jul 21 11:45:38 AEST 2016


On Tue, Jul 19, 2016 at 11:10 PM, C0r3dump3d <coredump at autistici.org> wrote:
> Hi, sorry I don't know if I send this to the correct channel.

It is.

[..]
> it's possible in certain circumstances to provoke a DOS
> condition in the access to the ssh server.

We have been discussing this a bit, and what we have just added is a
simple hard limit on the allowed size of a password string at 1k,
above which the password is immediately refused.  There's other
possible embellishments (eg, add a possibly variable delay) but we
haven't decided on any yet.

Thanks.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.


More information about the openssh-unix-dev mailing list