Feature request: FAIL_DELAY-support for sshd
Darren Tucker
dtucker at zip.com.au
Tue Feb 8 18:47:39 EST 2005
Bjoern Voigt wrote:
> Ok, but unfortunately there is probably not a configure option for this
> in Linux PAM. I did not found one.
It's trivial to write one, so:
http://www.zip.com.au/~dtucker/patches/pam_faildelay.c
It turns out I should have invoked Google *before* vi, because someone
beat me to it by many years (timestamps are 1997):
http://www-uxsup.csx.cam.ac.uk/~pjb1008/project/pam_delay/
> You already said, that it's possible
> to write such an PAM module. But does it help, if very few people use
> such an un-official PAM module?
Perhaps that's because few people want it? There's been a module
available since last century...
> Also lots of Unix systems have no
> PAM-system or no pam_fail_delay() function.
OK, I've thought about this and here's my opinion:
a) sshd should not insert arbitrary delays.
b) sshd should not arbitrarily override pam_fail_delay() either. If you
want to configure PAM do it via a PAM config file. That's what they're for.
c) maybe sshd could read AUTH_FAIL from login.defs[1] *IF* it's
sufficiently standardized. The facts that the Linux vendors can't agree
on it and the API isn't public are not in its favour.
c) maybe sshd should have a generic option to insert a delay on failed
password-based auths. If so it should default to disabled. If enabled it
would be reasonable to supply it to pam_fail_delay() on platforms that
have it.
[1] reading /etc/default/login on Solaris/Sinix is a precedent for this
sort of thing.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list