Bugtraq mailing list archives
Re: Strengthen OpenSSH security?
From: Carson Gaspar <carson () taltos org>
Date: Wed, 19 Apr 2006 20:28:38 -0700
--On Monday, April 17, 2006 10:31 PM -0600 Brett Glass <brett () lariat org> wrote:
It seems to me that sshd should not tip its hand by returning different responses when a user ID can be used for logins than when it can't -- allowing an attacker to focus password guessing attacks on user IDs with which it would have a chance of gaining access. For those folks out there who are more familiar with OpenSSH than I am: How hard would it be to make the responses indistinguishable?
Are you running the latest version of portable OpenSSH? If not, you need to upgrade. As far as I know, there should be no more leaks of this sort in the current code. If there are, please notify the openssh developers (and include your authentication configuration - your PAM modules may be leaking the info, and there's nothing OpenSSH can do about that).
-- Carson
Current thread:
- Strengthen OpenSSH security? Brett Glass (Apr 19)
- Re: Strengthen OpenSSH security? Mike Hoskins (Apr 20)
- Re: Strengthen OpenSSH security? Carson Gaspar (Apr 20)
- Re: Strengthen OpenSSH security? Theo de Raadt (Apr 21)
- Re: Strengthen OpenSSH security? Kd (Apr 20)
- Re: Strengthen OpenSSH security? MaddHatter (Apr 20)
- Re: Strengthen OpenSSH security? Damien Miller (Apr 20)
- Re: Strengthen OpenSSH security? c0redump (Apr 20)
- <Possible follow-ups>
- Re: Strengthen OpenSSH security? Bob Goodman (Apr 23)