[EXTERNAL] Re: ssh wish list?
Robinson, Herbie
Herbie.Robinson at stratus.com
Thu Oct 19 07:03:01 AEDT 2023
I only mentioned this, because if the plugin chose to implement a long sleep, it could break other things in ssh (depending on where it is inserted). If the plugin returns that it would like a certain delay, than SSH can implement the delay and adjust any relevant timeouts. The alternative would be to document whether or not the plug-in is allowed to sleep.
From: openssh-unix-dev <openssh-unix-dev-bounces+herbie.robinson=stratus.com at mindrot.org> On Behalf Of Thomas Köller
Sent: Wednesday, October 18, 2023 3:00 PM
To: openssh-unix-dev at mindrot.org
Subject: Re: [EXTERNAL] Re: ssh wish list?
[EXTERNAL SENDER: This email originated from outside of Stratus Technologies. Do not click links or open attachments unless you recognize the sender and know the content is safe.]
Am 18.10.23 um 20:37 schrieb Robinson, Herbie:
> If one does add such a plugin, it should be in a place where it can delay for an exponentially increasing time (or return a delay time to SSH). You don’t want to just reject the login, because they might keep hammering you.
The patch I proposed just invokes an external program on every failed
login attempt detected. I does not implement any policy. And if the
offending host is blocked, by modifying firewall rules or similar, there
could be no hammering.
More information about the openssh-unix-dev
mailing list