openssh unix dev - Oct 2023 - [EXTERNAL] Re: ssh wish list?

I only mentioned this, because if the plugin chose to implement a long sleep, it
could break other things in ssh (depending on where it is inserted).  If the
plugin returns that it would like a certain delay, than SSH can implement the
delay and adjust any relevant timeouts.  The alternative would be to document
whether or not the plug-in is allowed to sleep.

From: openssh-unix-dev <openssh-unix-dev-bounces+herbie.robinson=stratus.com
at mindrot.org> On Behalf Of Thomas K?ller
Sent: Wednesday, October 18, 2023 3:00 PM
To: openssh-unix-dev at mindrot.org
Subject: Re: [EXTERNAL] Re: ssh wish list?

[EXTERNAL SENDER: This email originated from outside of Stratus Technologies. Do
not click links or open attachments unless you recognize the sender and know the
content is safe.]

Am 18.10.23 um 20:37 schrieb Robinson, Herbie:
> If one does add such a plugin, it should be in a place where it can delay
for an exponentially increasing time (or return a delay time to SSH). You don?t
want to just reject the login, because they might keep hammering you.
The patch I proposed just invokes an external program on every failed
login attempt detected. I does not implement any policy. And if the
offending host is blocked, by modifying firewall rules or similar, there
could be no hammering.

So what if this was done as a PAM module? That would :

a) reduce the code that the openssh dev team needs to maintain as it 
doesn't really touch ssh at all
b) reduces code complexity, path breaking, etc.
c) is self contained and optional for those that really want it.



On 10/18/23 4:03 PM, Robinson, Herbie wrote:
> I only mentioned this, because if the plugin chose to implement a long
sleep, it could break other things in ssh (depending on where it is inserted). 
If the plugin returns that it would like a certain delay, than SSH can implement
the delay and adjust any relevant timeouts.  The alternative would be to
document whether or not the plug-in is allowed to sleep.
> 
> From: openssh-unix-dev
<openssh-unix-dev-bounces+herbie.robinson=stratus.com at mindrot.org> On
Behalf Of Thomas K?ller
> Sent: Wednesday, October 18, 2023 3:00 PM
> To: openssh-unix-dev at mindrot.org
> Subject: Re: [EXTERNAL] Re: ssh wish list?
> 
> [EXTERNAL SENDER: This email originated from outside of Stratus
Technologies. Do not click links or open attachments unless you recognize the
sender and know the content is safe.]
> 
> Am 18.10.23 um 20:37 schrieb Robinson, Herbie:
>> If one does add such a plugin, it should be in a place where it can
delay for an exponentially increasing time (or return a delay time to SSH). You
don?t want to just reject the login, because they might keep hammering you.
> 
> The patch I proposed just invokes an external program on every failed
> login attempt detected. I does not implement any policy. And if the
> offending host is blocked, by modifying firewall rules or similar, there
> could be no hammering.
> 
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev