Feature request: FAIL_DELAY-support for sshd

Bjoern Voigt bjoern at cs.tu-berlin.de
Thu Feb 3 03:59:03 EST 2005


Ed Maste <emaste at phaedrus.sandvine.ca> wrote:

> It seems that sshd's checking of getpwnam() before trying to
> authenticate with PAM causes many issues.  For example, some PAM
> modules want to change the username after authenticating; the user
> passed in to PAM might not even exist.  (Of course the user returned
> by PAM must.)  This can be used to allow role- account logins, if the
> user authenticates using something like radius.

Yes, the function allowed_user() in auth.c checks the user account with
getpwnam() or getspnam(). The function is difficult to read because of a
lot #ifdef's.

It's possible to insert "sleep(seconds)" here to slow down the
connection a bit. But this also slows down "good" connections.

> That said, however, I think OpenSSH is designed to follow the same
> code path for authentication with valid/invalid users.  I believe it
> should call pam_authenticate also for users that don't exist.  Are you
> sure pam_authenticate isn't being called?

No really sure, because I haven't fully understand the authentication
code. There are filenames like auth.c, auth1.c, auth2.c. Also, my
debugger (gdb-6.2) seems to have some problems with OpenSSH. I compiled
with "CFLAGS=-g ./configure --enable-debug ...) and I debug with "sshd
-p XXX -dDD" but gdb does not find my breakpoints.

Anyway, with debugging messages inserted, I think, that
pam_authenticate() will be called only for existing users
(allowed_user()-check).

Regards, Björn


More information about the openssh-unix-dev mailing list