Feature request: FAIL_DELAY-support for sshd
Darren Tucker
dtucker at zip.com.au
Thu Feb 3 14:02:23 EST 2005
Bjoern Voigt wrote:
> It's possible to insert "sleep(seconds)" here to slow down the
> connection a bit. But this also slows down "good" connections.
You could put a sleep next to the record_failed_login call in auth.c
(outside the ifdef), or even implement your own record_failed_login()
that delays before returning.
> No really sure, because I haven't fully understand the authentication
> code. There are filenames like auth.c, auth1.c, auth2.c. Also, my
> debugger (gdb-6.2) seems to have some problems with OpenSSH. I compiled
> with "CFLAGS=-g ./configure --enable-debug ...) and I debug with "sshd
> -p XXX -dDD" but gdb does not find my breakpoints.
If you're trying to probe sshd with a debugger then add "-o
UsePrivilegeSeparation=no -r" to the command line (but be aware that it
will behave similarly but not exactly the same as normal operation).
> Anyway, with debugging messages inserted, I think, that
> pam_authenticate() will be called only for existing users
> (allowed_user()-check).
That should not be the case. If you can show a situation where the
current version does behave differently then let us know and we'll try
to fix it.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list