Defend against user enumeration timing attacks - overkill

Dmitry Belyavskiy dbelyavs at
Wed Apr 12 19:55:21 AEST 2023

Dear colleagues,

I have a question about this commit:

The function ensure_minimum_time_since effectively doubles the time
spent in the input_userauth_request (mostly presumably in PAM). So if
PAM processing is really slow, it will cause huge delays - but if it
is so slow, it's more difficult to perform the enumeration attack.

So doesn't it make sense to provide an upper limit here and if really
spent time is more than this upper limit, to avoid extra sleep? Will
it be still necessary to protect from the attack? Vice versa, when the
auth failure happens fast enough, the doubling will not significantly
slow down the enumerations...

Any comments will be highly appreciated!

Dmitry Belyavskiy

More information about the openssh-unix-dev mailing list