-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


>>>>> "Alex" == Alex Pelts <alexp@broadcom.com> writes:
    Alex> That is always a possibility even without adding a
    Alex> delay. There is a setting in sshd_conf that limits number of
    Alex> unauthenticated connections. Using this setting will also
    Alex> possible to create denial of service condition.  Creating a
    Alex> delay will serve as a possible deterrent of automated password
    Alex> guessing. As I mentioned it is not good on busy interactive
    Alex> shh servers, but on game/http/ftp servers where numbers of
    Alex> interactive ssh logins is low, this could be used.

    Alex> Are there any other problems with this besides denial of
    Alex> service?

  It would be better if you put:
     sleep(rand() & 0x4f);

  into the password fail path of sshd, before it responds to the user.
(I need to think about whether or not to put this in the success path too)

  That way:
       a) you do not affect successful logins.
       b) you do not affect RSA logins.

  The other thing that would be nice is to lower the TCP receive windows
size to 1 byte...

- -- 
]            Bear: "Me, I'm just a the shape of a bear."        |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr@xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Finger me for keys

iQEVAwUBRQnBJICLcPvd0N1lAQI3JwgAqZ+BLxbfQerGi9Qt2fHGpzAwMaDLEdpm
TyMNPvk+tbqe5ViPFt2dZfSHR4dFsnqGXv5osTUcGUBsvhs0Vl9SjQhvNd7JGgMK
lSoYrlFChWV0+xAmmm2986mp8wANVSZ0sIEc59nb9c8IxuZfFNjS1hU2Y9dqV/b5
SzWI8qzBc1MMNF5MLASaRmOTFSUOD7BO4MadGSikpcJ4z3RaEwSJuXtZ+xclPAb0
TOXGre2DbRK+bik+EcJ9W9+OehpF8cjDc7IsLM5a1Q3lioZy/bKZluzVRai73aH2
xH4Kk3xqhVpmbNoORQwAlYsc8t0pcJ/NrfqcAdLyELj2yLAPXh3fFQ==
=7JG2
-----END PGP SIGNATURE-----