openssh unix dev - Oct 2023 - [EXTERNAL] Re: ssh wish list?

Am 18.10.23 um 20:37 schrieb Robinson, Herbie:
> If one does add such a plugin, it should be in a place where it can delay
for an exponentially increasing time (or return a delay time to SSH).  You don?t
want to just reject the login, because they might keep hammering you.
The patch I proposed just invokes an external program on every failed 
login attempt detected. I does not implement any policy. And if the 
offending host is blocked, by modifying firewall rules or similar, there 
could be no hammering.

I only mentioned this, because if the plugin chose to implement a long sleep, it
could break other things in ssh (depending on where it is inserted).  If the
plugin returns that it would like a certain delay, than SSH can implement the
delay and adjust any relevant timeouts.  The alternative would be to document
whether or not the plug-in is allowed to sleep.

From: openssh-unix-dev <openssh-unix-dev-bounces+herbie.robinson=stratus.com
at mindrot.org> On Behalf Of Thomas K?ller
Sent: Wednesday, October 18, 2023 3:00 PM
To: openssh-unix-dev at mindrot.org
Subject: Re: [EXTERNAL] Re: ssh wish list?

[EXTERNAL SENDER: This email originated from outside of Stratus Technologies. Do
not click links or open attachments unless you recognize the sender and know the
content is safe.]

Am 18.10.23 um 20:37 schrieb Robinson, Herbie:
> If one does add such a plugin, it should be in a place where it can delay
for an exponentially increasing time (or return a delay time to SSH). You don?t
want to just reject the login, because they might keep hammering you.
The patch I proposed just invokes an external program on every failed
login attempt detected. I does not implement any policy. And if the
offending host is blocked, by modifying firewall rules or similar, there
could be no hammering.