andrewmusselman opened a new issue, #723:
URL: https://github.com/apache/tooling-trusted-releases/issues/723
**ASVS Reference:** 6.3.1 (Finding HIGH-002)
### Description
The SSH server (`atr/ssh.py`) accepts unlimited authentication attempts
without connection rate limiting, failed attempt tracking, or IP blocking. An
attacker can rapidly attempt SSH authentication with different keys,
potentially exhausting server resources.
### Affected Code
`atr/ssh.py` — `SSHServer` class (lines ~64–114)
```python
class SSHServer(asyncssh.SSHServer):
def connection_made(self, conn: asyncssh.SSHServerConnection) -> None:
self._conn = conn
peer_addr = conn.get_extra_info("peername")[0]
log.info(f"SSH connection received from {peer_addr}") # Logging
only, no rate limiting
async def begin_auth(self, username: str) -> bool:
log.info(f"Beginning auth for user {username}")
return True # Always allows attempt, no tracking
async def validate_public_key(self, username: str, key: asyncssh.SSHKey)
-> bool:
if username != "github":
return False # Silent failure, no tracking
```
### Mitigating Controls
Workflow SSH keys have a 20-minute TTL, providing partial time-based
protection.
### Recommendation
Implement connection-level rate limiting with IP blocking after repeated
failures. Track failed authentication attempts per IP with a sliding window
(e.g., block after 5 failures in 5 minutes for 10 minutes).
Also up for discussion using `fail2ban`.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
