You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Password authentication is now completely handeled in Auth. The normal
keyboard-interactive handler checks if passwords are supported and asks
for them, removing the need to override the callbacks.
Brute force throttling is removed; I'd like to base it on IP address
banning, which requires changes to the checks.
I'm not sure, but I think timing attacks against the password are fixed:
- The hashing of the real password happens only at startup.
- The hashing of a provided password is something an attacker can do
themselves; It doesn't leak anything about the real password.
- The hash comparison is constant-time.
Starting ssh-chat server w/o
--unsafe-passphrase
works, but asssh-chat -i ssh-chat.key --unsafe-passphrase=secret
it refuses to start w/ errorVersions
To Reproduce
Result:
The text was updated successfully, but these errors were encountered: