Suggestion: SSHD pseudo/fake mode. Source available.
Daniel Kastenholz
daniel.kastenholz at in.tum.de
Sat Feb 26 18:30:32 EST 2005
Hi again,
it's once more about this SSH trap thing.
I have received some answers which proposed to use configuration options
like "DenyUsers *" to deny all logins. That approach sounds more
promising, especially from the developer's perspective, because it
wouldn't need tweaks in the code itself. I must admit I hadn't tried this!
And, in fact, it does work: all credentials are rejected, even if
they're correct. The effort is in fact a lot lower than with my
circumstantial tweaks in the source code itself.
However, the daemon behaves slightly different when the "DenyUsers *"
option is used. By default, sshd disconnects when the third wrong set of
credentials has been provided. With "DenyUsers *", this always happens
after the first attempt. In some - admittedly: very rare - cases, that
_might_ alert an attacker. (And as stated earlier, the intention was to
have a trap that behaves essentially like an unmodified daemon does.)
But in most cases this difference _should_ remain unnoticed, since brute
force attackers usually disconnect after the first failed attempt anyway
and reconnect.
Regards
Daniel
More information about the openssh-unix-dev
mailing list