[EXTERNAL] Re: ssh wish list?

[Chris Rapier]

So what if this was done as a PAM module? That would :

a) reduce the code that the openssh dev team needs to maintain as it 
doesn't really touch ssh at all
b) reduces code complexity, path breaking, etc.
c) is self contained and optional for those that really want it.



On 10/18/23 4:03 PM, Robinson, Herbie wrote:
> I only mentioned this, because if the plugin chose to implement a long sleep, it could break other things in ssh (depending on where it is inserted).  If the plugin returns that it would like a certain delay, than SSH can implement the delay and adjust any relevant timeouts.  The alternative would be to document whether or not the plug-in is allowed to sleep.
> 
> From: openssh-unix-dev <openssh-unix-dev-bounces+herbie.robinson=stratus.com at mindrot.org> On Behalf Of Thomas Köller
> Sent: Wednesday, October 18, 2023 3:00 PM
> To: openssh-unix-dev at mindrot.org
> Subject: Re: [EXTERNAL] Re: ssh wish list?
> 
> [EXTERNAL SENDER: This email originated from outside of Stratus Technologies. Do not click links or open attachments unless you recognize the sender and know the content is safe.]
> 
> Am 18.10.23 um 20:37 schrieb Robinson, Herbie:
>> If one does add such a plugin, it should be in a place where it can delay for an exponentially increasing time (or return a delay time to SSH). You don’t want to just reject the login, because they might keep hammering you.
> 
> The patch I proposed just invokes an external program on every failed
> login attempt detected. I does not implement any policy. And if the
> offending host is blocked, by modifying firewall rules or similar, there
> could be no hammering.
> 
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev