bugzilla-daemon at mindrot.org
2023-Aug-16 10:13 UTC
[Bug 3602] New: Limit artificial delay to some reasonable limit
https://bugzilla.mindrot.org/show_bug.cgi?id=3602
Bug ID: 3602
Summary: Limit artificial delay to some reasonable limit
Product: Portable OpenSSH
Version: 9.4p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: sshd
Assignee: unassigned-bugs at mindrot.org
Reporter: dbelyavs at redhat.com
Created attachment 3717
--> https://bugzilla.mindrot.org/attachment.cgi?id=3717&action=edit
A proposed patch
Commit
https://github.com/beldmit/openssh-portable/commit/e9d910b0289c820852f7afa67f584cef1c05fe95
introduced a randomized delay to avoid user enumeration timing attack.
Unfortunately, in case of bad network it effectively doubles the time
spent in the input_userauth_request (mostly presumably in PAM). So if
PAM processing is really slow, it will cause huge delays - but if it
is so slow, it's more difficult to perform the enumeration attack.
The proposed patch removes the delay in case of "none" auth method as
it is a dummy method and no information can be obtained from the delay
and establishes a reasonable threshold to limit the delay.
The patch is also available as
https://github.com/openssh/openssh-portable/pull/429
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2023-Aug-28 05:59 UTC
[Bug 3602] Limit artificial delay to some reasonable limit
https://bugzilla.mindrot.org/show_bug.cgi?id=3602
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |djm at mindrot.org,
| |dtucker at dtucker.net
Attachment #3717| |ok?(dtucker at dtucker.net)
Flags| |
--- Comment #1 from Damien Miller <djm at mindrot.org> ---
Comment on attachment 3717
--> https://bugzilla.mindrot.org/attachment.cgi?id=3717
A proposed patch
This looks sensible to me.
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2023-Aug-28 08:57 UTC
[Bug 3602] Limit artificial delay to some reasonable limit
https://bugzilla.mindrot.org/show_bug.cgi?id=3602
Darren Tucker <dtucker at dtucker.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #3717|ok?(dtucker at dtucker.net) |
Flags| |
Attachment #3717|0 |1
is obsolete| |
Attachment #3724| |ok+
Flags| |
--- Comment #2 from Darren Tucker <dtucker at dtucker.net> ---
Created attachment 3724
--> https://bugzilla.mindrot.org/attachment.cgi?id=3724&action=edit
Seems reasonable. Patch can be simplified a little, though.
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2023-Aug-28 08:58 UTC
[Bug 3602] Limit artificial delay to some reasonable limit
https://bugzilla.mindrot.org/show_bug.cgi?id=3602
Darren Tucker <dtucker at dtucker.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |3605
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=3605
[Bug 3605] Tracking bug for OpenSSH 9.5
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2023-Aug-28 09:49 UTC
[Bug 3602] Limit artificial delay to some reasonable limit
https://bugzilla.mindrot.org/show_bug.cgi?id=3602
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|NEW |RESOLVED
--- Comment #3 from Damien Miller <djm at mindrot.org> ---
Committed and will be in OpenSSH 9.5, due in a few months.
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.