rpms/openssh
7
0
Fork 1
Code Issues Pull Requests Releases Activity

Limit artificial delays in sshd while login using AD user

Browse Source 
Resolves: RHEL-1684
This commit is contained in:
Dmitry Belyavskiy 2023-10-30 12:50:36 +01:00
parent c38c04eca8
commit a636f3d32f
2 changed files with 41 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
openssh-9.4p2-limit-delay.patch Normal file
View File

@ -0,0 +1,33 @@
diff -u -p -r1.166 auth2.c
--- a/auth2.c 8 Mar 2023 04:43:12 -0000 1.166
+++ b/auth2.c 28 Aug 2023 08:32:44 -0000
@@ -208,6 +208,7 @@ input_service_request(int type, u_int32_
}
#define MIN_FAIL_DELAY_SECONDS 0.005
+#define MAX_FAIL_DELAY_SECONDS 5.0
static double
user_specific_delay(const char *user)
{
@@ -233,6 +234,12 @@ ensure_minimum_time_since(double start,
struct timespec ts;
double elapsed = monotime_double() - start, req = seconds, remain;
+ if (elapsed > MAX_FAIL_DELAY_SECONDS) {
+ debug3("elapsed %0.3lfms exceeded the max delay "
+ "requested %0.3lfms)", elapsed*1000, req*1000);
+ return;
+ }
+
/* if we've already passed the requested time, scale up */
while ((remain = seconds - elapsed) < 0.0)
seconds *= 2;
@@ -317,7 +324,7 @@ input_userauth_request(int type, u_int32
debug2("input_userauth_request: try method %s", method);
authenticated = m->userauth(ssh);
}
- if (!authctxt->authenticated)
+ if (!authctxt->authenticated && strcmp(method, "none") != 0)
ensure_minimum_time_since(tstart,
user_specific_delay(authctxt->user));
userauth_finish(ssh, authenticated, method, NULL);

9
openssh.spec
View File

@ -66,7 +66,7 @@
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
%global openssh_ver 8.0p1 %global openssh_ver 8.0p1
%global openssh_rel 19 %global openssh_rel 20
%global pam_ssh_agent_ver 0.10.3 %global pam_ssh_agent_ver 0.10.3
%global pam_ssh_agent_rel 7 %global pam_ssh_agent_rel 7
@ -280,6 +280,8 @@ Patch987: openssh-8.0p1-ipv6-process.patch
# upsream commit # upsream commit
# b23fe83f06ee7e721033769cfa03ae840476d280 # b23fe83f06ee7e721033769cfa03ae840476d280
Patch1015: openssh-9.3p1-upstream-cve-2023-38408.patch Patch1015: openssh-9.3p1-upstream-cve-2023-38408.patch
#upstream commit 01dbf3d46651b7d6ddf5e45d233839bbfffaeaec
Patch1017: openssh-9.4p2-limit-delay.patch
License: BSD License: BSD
Group: Applications/Internet Group: Applications/Internet
@ -521,6 +523,7 @@ popd
%patch100 -p1 -b .coverity %patch100 -p1 -b .coverity
%patch1015 -p1 -b .cve-2023-38408 %patch1015 -p1 -b .cve-2023-38408
%patch1017 -p1 -b .limitdelay
autoreconf autoreconf
pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver} pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
@ -806,6 +809,10 @@ getent passwd sshd >/dev/null || \
%endif %endif
%changelog %changelog
* Mon Oct 30 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.0p1-20
- Limit artificial delays in sshd while login using AD user
Resolves: RHEL-1684
* Thu Aug 24 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.0p1-19 * Thu Aug 24 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.0p1-19
- rebuilt - rebuilt
Related: CVE-2023-38408 Related: CVE-2023-38408