search for: ensure_minimum_time_since

...install on arm64 openssh version 1:8.9p1_3ubuntu10 installed. Whe I ssh to the machine with an authorized key in an LDAP account it takes approx 17seconds to get a shell prompt. When I do the same with the same key but to a simple local account, it's under one second. /var/log/auth.log shows ensure_minimum_time_since() "sleeping" for 3.5 seconds. This seems to happen more than once. And "going in" it says we've already spent 7 seconds. Going from the debug logs I can't find out why and why only when the "target" user is an LDAP one. -- You are receiving this mail because...

Dear colleagues, I have a question about this commit: https://github.com/openssh/openssh-portable/commit/e9d910b0289c820852f7afa67f584cef1c05fe95#diff-a25e40214ca9c9f78abce22f23bf2abdb2a24384c6610d60bbb314aed534eb48R216 The function ensure_minimum_time_since effectively doubles the time spent in the input_userauth_request (mostly presumably in PAM). So if PAM processing is really slow, it will cause huge delays - but if it is so slow, it's more difficult to perform the enumeration attack. So doesn't it make sense to provide an upper limit here...

...s at redhat.com> wrote: > > Dear colleagues, > > I have a question about this commit: > > https://github.com/openssh/openssh-portable/commit/e9d910b0289c820852f7afa67f584cef1c05fe95#diff-a25e40214ca9c9f78abce22f23bf2abdb2a24384c6610d60bbb314aed534eb48R216 > > The function ensure_minimum_time_since effectively doubles the time > spent in the input_userauth_request (mostly presumably in PAM). So if > PAM processing is really slow, it will cause huge delays - but if it > is so slow, it's more difficult to perform the enumeration attack. > > So doesn't it make sense to pro...

On 30/06/2023 09:56, Damien Miller wrote: > It's very hard to figure out what is happening here without a debug log. > > You can get one by stopping the listening sshd and running it manually > in debug mode, e.g. "/usr/sbin/sshd -ddd" Or starting one in debug mode on a different port, e.g. "-p99 -ddd"

...5 TOTO sshd[19126]: debug1: userauth_send_banner: sent [preauth] Jul 7 11:52:15 TOTO sshd[19126]: debug2: input_userauth_request: try method none [preauth] Jul 7 11:52:15 TOTO sshd[19126]: debug3: user_specific_delay: user specific delay 0.000ms [preauth] Jul 7 11:52:15 TOTO sshd[19126]: debug3: ensure_minimum_time_since: elapsed 73.257ms, delaying 64.508ms (requested 8.610ms) [preauth] Jul 7 11:52:15 TOTO sshd[19126]: debug3: userauth_finish: failure partial=0 next methods="publickey" [preauth] Jul 7 11:52:15 TOTO sshd[19126]: debug3: send packet: type 51 [preauth] Jul 7 11:52:15 TOTO sshd[19126]: deb...