Feature request: FAIL_DELAY-support for sshd

[Bjoern Voigt]

Darren Tucker <dtucker at zip.com.au> wrote:

> 3.9p1 should insert a delay on fail if PAM is configured to do so (it does on
> my RH9 box) for password authentication.  -current fixes that for
> keyboard-interactive too.

Thanks. But how I configure the delays in PAM? I searched the
PAM-documentation for this, but I only found, that the default delay is
1 second and there is a nodelay-option. 

> None of this is going to make any difference for your situation,
>  though.

Yes, unfortunately.

> Notice that the pids for each attempt are different?  Even if each sshd delays
> it's not going to slow down an attacker much if at all since the requests are
> effectively pipelined.  It would mean that the resources for each connection
> are tied up on your server for longer.

Yes, but I like to combine the delay-method with restricting
unauthenticated connections. This can be done with the
"MaxStartups"-option.

> What would help is restricting the rate of connections permitted from each
> source.  (Such a feature was recently added to OpenBSD's pf, and may exist in
> other filters.)

Yes, netfilter (Linux) may also have such options. But I'm not really a
firewall expert. I use a set of shell scripts from SuSE Linux
(SuSEfirewall2). This firewall does a good job for my needs. It's
possible, but not very easy to extend SuSEfirewall2's shell scripts.

> Please try repeating this test with either:
>  - "PasswordAuthentication yes" and "ChallengeResponseAuthentication no" in
> sshd_config

Ok, I tested it. But I did not see much differences. In fact, I only
noticed another password-prompt for both methods. Also the documentation
(man sshd_config) doesn't help me much here. Do you know the difference?

>  - a current development snapshot from
> ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/snapshot/

I tested it (openssh-SNAP-20050105.tar.gz, the latest file). But I saw
no differences. May be, I should tune my PAM-config first (see above).

Regards, Björn