[Freeciv-Dev] Re: client/server authentication (PR#1767)

["Paul Zastoupil" <paul@xxxxxxxxxxxxx>]

On Fri, Jun 06, 2003 at 07:11:23AM -0700, ChrisK@xxxxxxxx wrote:
> On Fri, Jun 06, 2003 at 06:02:38AM -0700, Raimar Falke wrote:
> > On Wed, Jun 04, 2003 at 01:47:17PM -0700, ChrisK@xxxxxxxx wrote:
> > > On Wed, Jun 04, 2003 at 10:01:24AM -0700, Reinier Post wrote:
> > > > > > I didn't test the patch yet but this sounds wrong. There shouldn't 
> > > > > > be
> > > > > > a timeout for a good password.
> > > > > 
> > > > > You mean a delay?
> > > > > 
> > > > > But that is what ssh does. Needs to be, over net, I think.
> > > > 
> > > > No, the delay is only set if the password is found to be incorrect.
> > > > Same with /bin/login.
> > > 
> > > SSH does a delay *before* it asks for the password (or is this my slow
> > > machines?). Then it limits the guesses.
> > 
> > 
> > The main delay here is between
> >   debug1: ssh_connect: getuid 500 geteuid 0 anon 1
> > and
> >   debug1: Connecting to www.freeciv.org [64.37.156.68] port 22.
> > 
> > Strace with -tt reveals:
> [...]
> > So at least in my case I get a 1.5s delay because of the DNS loopkup.
> 
> Here is 'my' 2 sec delay (in LAN, without DNS):
> 
> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
> 15:58:43.789929 write(3, "\0\0\1\f\6 \0\0\1\0n5\373y\4|IS\26\311f\...
> 15:58:43.790422 select(4, [3], NULL, NULL, NULL) = 1 (in [3])
> 15:58:45.783546 read(3, "\0\0\2\374\4!\0\0\1\262\0\0\0\7ssh-dss\0\...
> ...
> debug1: Host 'bolte' is known and matches the DSA host key.
> 
> Whatever that means. Server is a P II-200.
> 
> Christian
> 
> PS: Of course this is pathword auth. A key auth won't need a delay.

That's actually another issue.  ssh probably isn't the best thing to use
as a comparison because it does all kinds of negotiating before offering
you a password auth.  It negotiates a protocol, then does a key
exchange, then runs through all the possible valid auth methods before
dropping to password.

A better example might login(1).

-- 
Paul Zastoupil