diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2024-09-15 03:18:26 +0200 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2024-09-15 03:23:11 +0200 |
| commit | 0118a4da21147a88a56dc8b90bbc2849fefd5c1e (patch) | |
| tree | bea90dba539be1ff731efd266cee103e7d12a6d9 /sshd_config.5 | |
| parent | upstream: Add a "refuseconnection" penalty class to sshd_config (diff) | |
| download | openssh-0118a4da21147a88a56dc8b90bbc2849fefd5c1e.tar.xz openssh-0118a4da21147a88a56dc8b90bbc2849fefd5c1e.zip | |
upstream: add a "Match invalid-user" predicate to sshd_config Match
options.
This allows writing Match conditions that trigger for invalid username.
E.g.
PerSourcePenalties refuseconnection:90s
Match invalid-user
RefuseConnection yes
Will effectively penalise bots try to guess passwords for bogus accounts,
at the cost of implicitly revealing which accounts are invalid.
feedback markus@
OpenBSD-Commit-ID: 93d3a46ca04bbd9d84a94d1e1d9d3a21073fbb07
Diffstat (limited to '')
| -rw-r--r-- | sshd_config.5 | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/sshd_config.5 b/sshd_config.5 index ce59843e5..41c64f43c 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,7 +33,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.372 2024/09/15 01:11:26 djm Exp $ +.\" $OpenBSD: sshd_config.5,v 1.373 2024/09/15 01:18:26 djm Exp $ .Dd $Mdocdate: September 15 2024 $ .Dt SSHD_CONFIG 5 .Os @@ -1237,9 +1237,11 @@ applied. .Pp The arguments to .Cm Match -are one or more criteria-pattern pairs or the single token -.Cm All -which matches all criteria. +are one or more criteria-pattern pairs or one of the single token criteria: +.Cm All , +which matches all criteria, or +.Cm Invalid-User , +which matches when the requested user-name does not match any known account. The available criteria are .Cm User , .Cm Group , |