Defend against user enumeration timing attacks - overkill
Dmitry Belyavskiy
dbelyavs at redhat.com
Fri Aug 25 22:01:18 AEST 2023
Dear Peter,
https://bugzilla.mindrot.org/show_bug.cgi?id=3602 is the patch I
propose to fix this issue.
It removes the delay for "none" auth method (which is dummy and
doesn't provide any information) and provides an (arbitrary) limit of
delay.
On Wed, Jun 28, 2023 at 2:11 PM Dmitry Belyavskiy <dbelyavs at redhat.com> wrote:
>
> Dear Peter,
>
> I'm trying to balance the original problem statement (protection from
> users enumeration) and avoid doubling time here if the process has
> already taken a long time to provide faster auth method iteration.
> I believe that a better solution is to set some arbitrary (probably
> configurable) timeout and, in case when we spend more time than that
> value, avoid doubling it.
>
> On Wed, Jun 28, 2023 at 2:04 PM Peter Stuge <peter at stuge.se> wrote:
> >
> > Dmitry Belyavskiy wrote:
> > > May I ask you to explain whether I am wrong in my conclusions?
> >
> > I guess it's not clear what problem you are trying to solve.
> >
> >
> > //Peter
> > _______________________________________________
> > openssh-unix-dev mailing list
> > openssh-unix-dev at mindrot.org
> > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> >
>
>
> --
> Dmitry Belyavskiy
--
Dmitry Belyavskiy
More information about the openssh-unix-dev
mailing list