Bug#289573: ssh: IMHO LoginGraceTime default value is too long

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#289573: ssh: IMHO LoginGraceTime default value is too long
From: Andrew Pollock <apollock@debian.org>
Date: Mon, 10 Jan 2005 09:38:48 +1100
Message-id: <[🔎] 200501092238.j09McnMd008549@caesar.andrew.net.au>
Reply-to: Andrew Pollock <apollock@debian.org>, 289573@bugs.debian.org

Package: ssh
Version: 1:3.8.1p1-8.sarge.4
Severity: important

ObSeverity: I think this issue is important due to the denial of service
rammifications involved, however I respect your opinion, and you may
downgrade the severity as you see fit.

I my opinion, a LoginGraceTime of 10 minutes is really bad, as I have
personally seen on a number of occasions, my server get totally blocked
up by unauthenticated SSH connections (presumably relating to the
brute-force SSH attacks running around at the moment) and if I didn't
have an SSH connection already open, I wouldn't be able to login for 10
minutes, or potentially longer if someone was actively trying to gum up
the works and constantly make SSH connections.

I can't think of any reason why you'd want to leave an unauthenticated
SSH connection open for that long. I think even 60 seconds is pretty
generous.

regards

Andrew

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.8-1-686
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages ssh depends on:
ii  adduser                     3.59         Add and remove users and groups
ii  debconf                     1.4.30.11    Debian configuration management sy
ii  dpkg                        1.10.25      Package maintenance system for Deb
ii  libc6                       2.3.2.ds1-18 GNU C Library: Shared libraries an
ii  libpam-modules              0.76-22      Pluggable Authentication Modules f
ii  libpam-runtime              0.76-22      Runtime support for the PAM librar
ii  libpam0g                    0.76-22      Pluggable Authentication Modules l
ii  libssl0.9.7                 0.9.7e-2     SSL shared libraries
ii  libwrap0                    7.6.dbs-6    Wietse Venema's TCP wrappers libra
ii  zlib1g                      1:1.2.2-3    compression library - runtime

-- debconf information:
  ssh/insecure_rshd:
  ssh/privsep_ask: true
  ssh/user_environment_tell:
* ssh/forward_warning:
  ssh/insecure_telnetd:
  ssh/new_config: true
* ssh/use_old_init_script: true
* ssh/SUID_client: true
  ssh/disable_cr_auth: false
* ssh/privsep_tell:
  ssh/ssh2_keys_merged:
* ssh/protocol2_only: true
  ssh/encrypted_host_key_but_no_keygen:
* ssh/run_sshd: true

Reply to:

Prev by Date: Bug#117318: Hey, It's me, Wiley TSS28426 from MSN
Next by Date: Bug#289592: a BindAddress6 option is needed
Previous by thread: Bug#117318: Hey, It's me, Wiley TSS28426 from MSN
Next by thread: Bug#289592: a BindAddress6 option is needed
Index(es):
- Date
- Thread