diff options
Diffstat (limited to 'lib/ssh/doc/src/hardening.xml')
-rw-r--r-- | lib/ssh/doc/src/hardening.xml | 37 |
1 files changed, 37 insertions, 0 deletions
diff --git a/lib/ssh/doc/src/hardening.xml b/lib/ssh/doc/src/hardening.xml index 5d65f5da3f..c1d3f7669c 100644 --- a/lib/ssh/doc/src/hardening.xml +++ b/lib/ssh/doc/src/hardening.xml @@ -144,6 +144,43 @@ </section> <section> + <title>Verifying the remote client in a daemon (server)</title> + <taglist> + <tag>Password checking</tag> + <item> + <p>The default password checking is with the list in the + <seeerl marker="ssh#option-user_passwords">user_passwords</seeerl> option in the SSH daemon. + It could be replaced with a <seeerl marker="ssh#option-pwdfun">pwdfun</seeerl> plugin. The + arity four variant (<seetype marker="ssh#pwdfun_4"><c>pwdfun_4()</c></seetype>) + can also be used for introducing delays after failed password checking attempts. Here is a simple + example of such a pwdfun: + </p> + <code> +fun(User, Password, _PeerAddress, State) -> + case lists:member({User,Password}, my_user_pwds()) of + true -> + {true, undefined}; % Reset delay time + false when State == undefined -> + timer:sleep(1000), + {false, 2000}; % Next delay is 2000 ms + false when is_integer(State) -> + timer:sleep(State), + {false, 2*State} % Double the delay for each failure + end +end. +</code> + <p>If a public key is used for logging in, there is normally no checking of the user name. It + could be enabled by setting the option + <seeerl marker="ssh#option-pk_check_user"><c>pk_check_user</c></seeerl> + to <c>true</c>. + In that case the pwdfun will get the atom <c>pubkey</c> in the password argument. + </p> + </item> + + </taglist> + </section> + + <section> <title>Hardening in the cryptographic area</title> <section> <title>Algorithm selection</title> |