add a "Match invalid-user" predicate to sshd_config Match options.
authordjm <djm@openbsd.org>
Sun, 15 Sep 2024 01:18:26 +0000 (01:18 +0000)
committerdjm <djm@openbsd.org>
Sun, 15 Sep 2024 01:18:26 +0000 (01:18 +0000)
commit5bfd970dbb8fee38014ad5cb31e4b8f296b269e8
tree5b27259bd1208347d3da81d556264169ea41aaa2
parent4ad4d979befa76a8400438890fa82e99f8cc01ae
add a "Match invalid-user" predicate to sshd_config Match options.

This allows writing Match conditions that trigger for invalid username.
E.g.

PerSourcePenalties refuseconnection:90s
Match invalid-user
  RefuseConnection yes

Will effectively penalise bots try to guess passwords for bogus accounts,
at the cost of implicitly revealing which accounts are invalid.

feedback markus@
usr.bin/ssh/auth.c
usr.bin/ssh/servconf.c
usr.bin/ssh/servconf.h
usr.bin/ssh/sshd_config.5