torjus/oubliette
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: address high-severity security issues from review

Browse Source 
- Use subtle.ConstantTimeCompare for static credential checks to
  prevent timing side-channel attacks
- Cap failCounts (100k) and rememberedCreds (10k) maps with eviction
  to prevent memory exhaustion from botnet-scale scanning
- Sweep expired credentials on each auth attempt
- Add configurable max_connections (default 500) with semaphore to
  limit concurrent connections and prevent goroutine/fd exhaustion

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Torjus Håkestad
2026-02-14 16:41:23 +01:00
parent 51fdea0c2f
commit a40110f2f5
6 changed files with 90 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
internal/server/server_test.go
View File

@@ -97,8 +97,9 @@ func TestIntegrationSSHConnect(t *testing.T) {
tmpDir := t.TempDir()
cfg := config.Config{
SSH: config.SSHConfig{
ListenAddr: "127.0.0.1:0",
HostKeyPath: filepath.Join(tmpDir, "host_key"),
ListenAddr: "127.0.0.1:0",
HostKeyPath: filepath.Join(tmpDir, "host_key"),
MaxConnections: 100,
},
Auth: config.AuthConfig{
AcceptAfter: 2,