tech-security: Re: Interesting security discovery.

Subject: Re: Interesting security discovery.
To: Michael Richardson <mcr@sandelman.ottawa.on.ca>
From: Alex Pelts <alexp@broadcom.com>
List: tech-security
Date: 09/14/2006 13:56:23

I can think of many things to put in sshd if I am to modify the code. 
The thing is that I don't want to modify sshd code.

Regards,
Alex


Michael Richardson wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
>>>>>> "Alex" == Alex Pelts <alexp@broadcom.com> writes:
>     Alex> That is always a possibility even without adding a
>     Alex> delay. There is a setting in sshd_conf that limits number of
>     Alex> unauthenticated connections. Using this setting will also
>     Alex> possible to create denial of service condition.  Creating a
>     Alex> delay will serve as a possible deterrent of automated password
>     Alex> guessing. As I mentioned it is not good on busy interactive
>     Alex> shh servers, but on game/http/ftp servers where numbers of
>     Alex> interactive ssh logins is low, this could be used.
> 
>     Alex> Are there any other problems with this besides denial of
>     Alex> service?
> 
>   It would be better if you put:
>      sleep(rand() & 0x4f);
> 
>   into the password fail path of sshd, before it responds to the user.
> (I need to think about whether or not to put this in the success path too)
> 
>   That way:
>        a) you do not affect successful logins.
>        b) you do not affect RSA logins.
> 
>   The other thing that would be nice is to lower the TCP receive windows
> size to 1 byte...
> 
> - -- 
> ]            Bear: "Me, I'm just a the shape of a bear."        |  firewalls  [
> ]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
> ] mcr@xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
> ] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.3 (GNU/Linux)
> Comment: Finger me for keys
> 
> iQEVAwUBRQnBJICLcPvd0N1lAQI3JwgAqZ+BLxbfQerGi9Qt2fHGpzAwMaDLEdpm
> TyMNPvk+tbqe5ViPFt2dZfSHR4dFsnqGXv5osTUcGUBsvhs0Vl9SjQhvNd7JGgMK
> lSoYrlFChWV0+xAmmm2986mp8wANVSZ0sIEc59nb9c8IxuZfFNjS1hU2Y9dqV/b5
> SzWI8qzBc1MMNF5MLASaRmOTFSUOD7BO4MadGSikpcJ4z3RaEwSJuXtZ+xclPAb0
> TOXGre2DbRK+bik+EcJ9W9+OehpF8cjDc7IsLM5a1Q3lioZy/bKZluzVRai73aH2
> xH4Kk3xqhVpmbNoORQwAlYsc8t0pcJ/NrfqcAdLyELj2yLAPXh3fFQ==
> =7JG2
> -----END PGP SIGNATURE-----
>