Defend against user enumeration timing attacks - overkill
Dmitry Belyavskiy
dbelyavs at redhat.com
Wed Jun 28 21:51:07 AEST 2023
Dear colleagues,
May I ask you to explain whether I am wrong in my conclusions?
On Wed, Apr 12, 2023 at 11:55 AM Dmitry Belyavskiy <dbelyavs at redhat.com> wrote:
>
> Dear colleagues,
>
> I have a question about this commit:
>
> https://github.com/openssh/openssh-portable/commit/e9d910b0289c820852f7afa67f584cef1c05fe95#diff-a25e40214ca9c9f78abce22f23bf2abdb2a24384c6610d60bbb314aed534eb48R216
>
> The function ensure_minimum_time_since effectively doubles the time
> spent in the input_userauth_request (mostly presumably in PAM). So if
> PAM processing is really slow, it will cause huge delays - but if it
> is so slow, it's more difficult to perform the enumeration attack.
>
> So doesn't it make sense to provide an upper limit here and if really
> spent time is more than this upper limit, to avoid extra sleep? Will
> it be still necessary to protect from the attack? Vice versa, when the
> auth failure happens fast enough, the doubling will not significantly
> slow down the enumerations...
>
> Any comments will be highly appreciated!
>
> --
> Dmitry Belyavskiy
--
Dmitry Belyavskiy
More information about the openssh-unix-dev
mailing list