Limit artificial delays in sshd while login using AD user
Resolves: RHEL-2469
This commit is contained in:
parent
d8b51e8341
commit
a43be164ec
33
openssh-9.4p2-limit-delay.patch
Normal file
33
openssh-9.4p2-limit-delay.patch
Normal file
@ -0,0 +1,33 @@
|
|||||||
|
diff -u -p -r1.166 auth2.c
|
||||||
|
--- a/auth2.c 8 Mar 2023 04:43:12 -0000 1.166
|
||||||
|
+++ b/auth2.c 28 Aug 2023 08:32:44 -0000
|
||||||
|
@@ -208,6 +208,7 @@ input_service_request(int type, u_int32_
|
||||||
|
}
|
||||||
|
|
||||||
|
#define MIN_FAIL_DELAY_SECONDS 0.005
|
||||||
|
+#define MAX_FAIL_DELAY_SECONDS 5.0
|
||||||
|
static double
|
||||||
|
user_specific_delay(const char *user)
|
||||||
|
{
|
||||||
|
@@ -233,6 +234,12 @@ ensure_minimum_time_since(double start,
|
||||||
|
struct timespec ts;
|
||||||
|
double elapsed = monotime_double() - start, req = seconds, remain;
|
||||||
|
|
||||||
|
+ if (elapsed > MAX_FAIL_DELAY_SECONDS) {
|
||||||
|
+ debug3_f("elapsed %0.3lfms exceeded the max delay "
|
||||||
|
+ "requested %0.3lfms)", elapsed*1000, req*1000);
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
/* if we've already passed the requested time, scale up */
|
||||||
|
while ((remain = seconds - elapsed) < 0.0)
|
||||||
|
seconds *= 2;
|
||||||
|
@@ -317,7 +324,7 @@ input_userauth_request(int type, u_int32
|
||||||
|
debug2("input_userauth_request: try method %s", method);
|
||||||
|
authenticated = m->userauth(ssh);
|
||||||
|
}
|
||||||
|
- if (!authctxt->authenticated)
|
||||||
|
+ if (!authctxt->authenticated && strcmp(method, "none") != 0)
|
||||||
|
ensure_minimum_time_since(tstart,
|
||||||
|
user_specific_delay(authctxt->user));
|
||||||
|
userauth_finish(ssh, authenticated, method, NULL);
|
@ -284,6 +284,8 @@ Patch1014: openssh-8.7p1-UTC-time-parse.patch
|
|||||||
Patch1015: openssh-9.3p1-upstream-cve-2023-38408.patch
|
Patch1015: openssh-9.3p1-upstream-cve-2023-38408.patch
|
||||||
#upstream commit b7afd8a4ecaca8afd3179b55e9db79c0ff210237
|
#upstream commit b7afd8a4ecaca8afd3179b55e9db79c0ff210237
|
||||||
Patch1016: openssh-9.3p1-openssl-compat.patch
|
Patch1016: openssh-9.3p1-openssl-compat.patch
|
||||||
|
#upstream commit 01dbf3d46651b7d6ddf5e45d233839bbfffaeaec
|
||||||
|
Patch1017: openssh-9.4p2-limit-delay.patch
|
||||||
|
|
||||||
License: BSD
|
License: BSD
|
||||||
Requires: /sbin/nologin
|
Requires: /sbin/nologin
|
||||||
@ -504,6 +506,7 @@ popd
|
|||||||
%patch1014 -p1 -b .utc_parse
|
%patch1014 -p1 -b .utc_parse
|
||||||
%patch1015 -p1 -b .cve-2023-38408
|
%patch1015 -p1 -b .cve-2023-38408
|
||||||
%patch1016 -p1 -b .openssl3compat
|
%patch1016 -p1 -b .openssl3compat
|
||||||
|
%patch1017 -p1 -b .limitdelay
|
||||||
|
|
||||||
autoreconf
|
autoreconf
|
||||||
pushd pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver}
|
pushd pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver}
|
||||||
@ -793,6 +796,8 @@ test -f %{sysconfig_anaconda} && \
|
|||||||
* Mon Oct 23 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-35
|
* Mon Oct 23 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-35
|
||||||
- Relax OpenSSH checks for OpenSSL version
|
- Relax OpenSSH checks for OpenSSL version
|
||||||
Resolves: RHEL-4734
|
Resolves: RHEL-4734
|
||||||
|
- Limit artificial delays in sshd while login using AD user
|
||||||
|
Resolves: RHEL-2469
|
||||||
|
|
||||||
* Thu Jul 20 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-34
|
* Thu Jul 20 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-34
|
||||||
- Avoid remote code execution in ssh-agent PKCS#11 support
|
- Avoid remote code execution in ssh-agent PKCS#11 support
|
||||||
|
Loading…
Reference in New Issue
Block a user