x/crypto/ssh: fix documention for ssh.NewServerConn to avoid potential DoS attack #43521
Labels
Documentation
NeedsInvestigation
Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
Yes
What operating system and processor architecture are you using (
go env
)?go env
OutputWhat did you do?
I followed the example here for building an ssh server: https://gist.github.com/jpillora/b480fde82bff51a06238
This contains the code
The problem with this code is that calling
ssh.NewServerConn
can take an arbitrary length of time as it might have to ask the user for a password. In fact calling it like this is setting up a potential DoS attack - one user can take as long as desired to do the authentication, blocking any other users from connecting.The documentation for
ssh.NewServerConn
should be changed to say that it must be called in a new go routine and should not be called in in the same go routine as theListen
loop.It might be a good idea if the example for ssh.NewServerConn was changed to show a loop around the
Listen
call with thessh.NewServerConn
being called in a go routine.This was originally discovered in rclone/rclone#4882 - thanks to @FiloSottile for working out the cause of the problem and suggesting making this issue.
The text was updated successfully, but these errors were encountered: