asf-tooling opened a new issue, #1023:
URL: https://github.com/apache/tooling-trusted-releases/issues/1023
**ASVS Level(s):** [L2-only]
**Description:**
### Summary
The SSH authentication pathway does not implement rate limiting that is
enforced on Web OAuth (100 req/min) and JWT API (500 req/hr) pathways. While
workflow SSH keys are high-entropy and short-lived, the lack of rate limiting
allows unlimited connection attempts. An attacker can perform unlimited SSH
authentication attempts, consuming server resources through connection handling
overhead, database queries for key lookups (per attempt), LDAP queries, and log
file growth. This is separate from AUTH-RATE-001 as this finding focuses on
consistency across authentication pathways per ASVS 6.3.4.
### Details
Affected locations:
- `atr/ssh.py`: SSH server without rate limiting
- `atr/server.py`: No rate limiting for SSH connections
The SSH server accepts unlimited connection attempts without any rate
limiting at the application layer.
### Recommended Remediation
Implement connection tracking per IP address in
`SSHServer.connection_made()` method:
```python
class SSHServer:
_connection_timestamps: dict[str, list[float]] = {}
_MAX_CONNECTIONS_PER_MINUTE = 20
def connection_made(self, transport):
"""Track connections per IP and enforce rate limit."""
remote_addr = transport.get_extra_info('peername')[0]
now = time.time()
# Clean old timestamps (older than 60 seconds)
timestamps = self._connection_timestamps.get(remote_addr, [])
recent = [t for t in timestamps if now - t < 60]
# Enforce rate limit
if len(recent) >= self._MAX_CONNECTIONS_PER_MINUTE:
log.warning('ssh_rate_limit_exceeded', extra={'remote_addr':
remote_addr})
transport.close()
return
# Record this connection
recent.append(now)
self._connection_timestamps[remote_addr] = recent
# Continue with normal connection handling
super().connection_made(transport)
```
Include logging of rate limit violations.
### Acceptance Criteria
- [ ] SSH connections are rate limited per IP address
- [ ] Rate limit is consistent with other authentication pathways
- [ ] Exceeded rate limits are logged
- [ ] Test cases verify rate limiting
- [ ] Unit test verifying the fix
### References
- Source reports: L2:6.3.4.md
- Related findings: FINDING-004
- ASVS sections: 6.3.4
### Priority
Medium
---
---
**Related issue:**
https://github.com/apache/tooling-trusted-releases/issues/723
---
**Triage notes:** related to
https://github.com/apache/tooling-trusted-releases/issues/723
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
