Hi again,

it's once more about this SSH trap thing.

I have received some answers which proposed to use configuration options
like "DenyUsers *" to deny all logins. That approach sounds more
promising, especially from the developer's perspective, because it
wouldn't need tweaks in the code itself. I must admit I hadn't tried this!

And, in fact, it does work: all credentials are rejected, even if
they're correct. The effort is in fact a lot lower than with my
circumstantial tweaks in the source code itself.

However, the daemon behaves slightly different when the "DenyUsers *"
option is used. By default, sshd disconnects when the third wrong set of
credentials has been provided. With "DenyUsers *", this always happens
after the first attempt. In some - admittedly: very rare - cases, that
_might_ alert an attacker. (And as stated earlier, the intention was to
have a trap that behaves essentially like an unmodified daemon does.)

But in most cases this difference _should_ remain unnoticed, since brute
force attackers usually disconnect after the first failed attempt anyway
and reconnect.



openssh-unix-dev mailing list