[PATCH 0/1] *** SUBJECT HERE ***
Christoph Anton Mitterer
calestyo at scientia.net
Fri Mar 13 05:09:06 AEDT 2020
On Wed, 2020-03-11 at 21:39 +0100, Thomas Koeller wrote:
> an external program will be invoked every time a session
> is
> terminated without the requesting client being authenticated.
IMO, the idea itself sounds not the best... one must assume that such
invoked programs are not written "safe"... and thus an attacker could
potentially cause the system to run such programs a huge number of
times.
Maybe they take a while to finish (or in error case: do not finish a
all) thus causing DoS.
Not to talk about further complex scenarios where such invocation might
be used for analysis or other forms of attacks.
Cheers,
Chris.
More information about the openssh-unix-dev
mailing list