[go-nuts] Re: Is there functionality in golang.org/x/crypto/ssh to close a SSH connection server-side after N number of (password) tries?

Tue, 14 Mar 2017 03:35:02 -0700 


On Sunday, February 26, 2017 at 6:47:34 AM UTC+1, Tamás Gulácsi wrote:
>
> Provide a proper PasswordCallback to your server, as in the NewServerConn 
> example (https://godoc.org/golang.org/x/crypto/ssh#NewServerConn).
>
> Thats your function, you can program any algorithm you wish.
>

Thanks for the advise, I looked into it. I was hoping that ssh/server.go 
implemented RFC4252, par. 4::

"[...] Additionally, the implementation SHOULD limit the number of failed 
authentication 
attempts a client may perform in a single session (the RECOMMENDED limit is 
20 attempts).
If the threshold is exceeded, the server SHOULD disconnect."

The reason why I need this is that there are currently SSH brute-force bots 
out there which are so badly written, they retry (the same username and 
password combination) for pretty much as long as nothing else times 
out/fails.

Anyway, my attempts to build a maxTries algorithm into PasswordCallback 
were getting uglier by the minute, so I ended up with this solution/kludge 
to limit the amount of retries within a session:
The good thing about this is the maxTries works per session, which within 
PasswordCallback was a real problem to do (at least for me, I'm still very 
much out of my depth when it comes to golang).

diff --git a/ssh/server.go b/ssh/server.go
index 37df1b3..4ba569e 100644
--- a/ssh/server.go
+++ b/ssh/server.go
@@ -263,6 +263,8 @@ func (s *connection) serverAuthenticate(config 
*ServerConfig) (*Permissions, err
        var err error
        var cache pubKeyCache
        var perms *Permissions
+       var sum = 0
+       const maxTries = 3
 
 userAuthLoop:
        for {
@@ -300,8 +302,11 @@ userAuthLoop:
                        if !ok || len(payload) > 0 {
                                return nil, parseError(msgUserAuthRequest)
                        }
-
                        perms, authErr = config.PasswordCallback(s, 
password)
+                       if sum >= maxTries {
+                               break userAuthLoop
+                       }
+                       sum += 1
                case "keyboard-interactive":
                        if config.KeyboardInteractiveCallback == nil {
                                authErr = errors.New("ssh: 
keyboard-interactive auth not configubred")



-- 
You received this message because you are subscribed to the Google Groups 
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to golang-nuts+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to