Defend against user enumeration timing attacks - overkill
Dmitry Belyavskiy
dbelyavs at redhat.com
Wed Jun 28 22:11:53 AEST 2023
Dear Peter,
I'm trying to balance the original problem statement (protection from
users enumeration) and avoid doubling time here if the process has
already taken a long time to provide faster auth method iteration.
I believe that a better solution is to set some arbitrary (probably
configurable) timeout and, in case when we spend more time than that
value, avoid doubling it.
On Wed, Jun 28, 2023 at 2:04 PM Peter Stuge <peter at stuge.se> wrote:
>
> Dmitry Belyavskiy wrote:
> > May I ask you to explain whether I am wrong in my conclusions?
>
> I guess it's not clear what problem you are trying to solve.
>
>
> //Peter
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
--
Dmitry Belyavskiy
More information about the openssh-unix-dev
mailing list