Feature request: FAIL_DELAY-support for sshd

Darren Tucker dtucker at zip.com.au
Thu Feb 3 13:06:42 EST 2005


Bjoern Voigt wrote:
> Darren Tucker <dtucker at zip.com.au> wrote:
> 
>>3.9p1 should insert a delay on fail if PAM is configured to do so (it does on
>>my RH9 box) for password authentication.  -current fixes that for
>>keyboard-interactive too.
> 
> Thanks. But how I configure the delays in PAM? I searched the
> PAM-documentation for this, but I only found, that the default delay is
> 1 second and there is a nodelay-option. 

Hmm, looks like it's hard-coded at 2s in pam_unix.  I don't know if it's 
user-tweakable.  A PAM module that sets pam_fail_delay from a parameter 
should be easy to write.

(BTW, pam_fail_delay is AFAIK LinuxPAM only.)

>>Please try repeating this test with either:
>> - "PasswordAuthentication yes" and "ChallengeResponseAuthentication no" in
>>sshd_config
> 
> Ok, I tested it. But I did not see much differences. In fact, I only
> noticed another password-prompt for both methods. Also the documentation
> (man sshd_config) doesn't help me much here. Do you know the difference?

Sadly, yes.  I should update the FAQ entry for PAM 
(http://www.openssh.com/faq.html#3.15) to cover this, but the basic 
difference is:

PasswordAuthentication uses the SSH password protocol, which is 
effectively a simple password (although encrypted on the wire).  The 
password prompt ("user at hosts's password: ") is generated by the client. 
  When sshd feeds the password to PAM, it's done in a "blind" fashion: 
If PAM sends a prompt with echo off, sshd responds with the password. 
If PAM prompts for anything else, sshd responds with an error.

ChallengeResponseAuthentication uses the SSH keyboard-interactive 
protocol, which allows several rounds of dialog between client and 
server.  The password prompt you see is generated on the server.  This 
allows arbitrarily complex "conversations", for example a real 
challenge-response authentication (such as S/Key or OPIE) or whatever 
else PAM module authors dream up.

Each have their limitation and they are implemented by different code. 
Occasionally these behave differently in some cases (we try to keep it 
as consistent as possible).

(I'm ignoring Protocol 1 and TIS authentication for the time being. 
It's similar to ChallengeResponse but with a slightly different set of 
rules.)

>> - a current development snapshot from
>>ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/snapshot/
> 
> I tested it (openssh-SNAP-20050105.tar.gz, the latest file). But I saw
> no differences. May be, I should tune my PAM-config first (see above).

I checked the change log, the changes I was referring to didn't go in 
until 20050118, and there seems to be some problem with snaps being 
propogated to the ftp sites.

In the mean time I've temporarily put up an unofficial snap at
http://www.zip.com.au/~dtucker/tmp/openssh-20050203.tar.gz

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.




More information about the openssh-unix-dev mailing list