Openssh use enumeration
dtucker at zip.com.au
Thu Jul 21 11:45:38 AEST 2016
On Tue, Jul 19, 2016 at 11:10 PM, C0r3dump3d <coredump at autistici.org> wrote:
> Hi, sorry I don't know if I send this to the correct channel.
> it's possible in certain circumstances to provoke a DOS
> condition in the access to the ssh server.
We have been discussing this a bit, and what we have just added is a
simple hard limit on the allowed size of a password string at 1k,
above which the password is immediately refused. There's other
possible embellishments (eg, add a possibly variable delay) but we
haven't decided on any yet.
Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev