Re: SSH bruteforce on its way...

[Valdis.Kletnieks () vt edu]

On Tue, 25 Oct 2005 09:17:07 +1300, Russell Fulton said:
> Would you please provide some supporting references.  I can not find any
> evidence of existing timing attacks against openssh.  In fact Openssh
> goes to some trouble to defeat such attacks.

Russell, your google-foo is obviously weak.  Google'ed for '+ssh +timing +attack',
and the first few hits are against the keystroke-timing issue, and about number 6 is:

http://lists.debian.org/debian-ssh/2004/11/msg00053.html

which says:

CAN-2003-0190 describes a flaw in ssh's password prompt timing which
makes it easy for an attacker to determine if a username exists on a
machine. I've checked and testing and unstable's versions of ssh are
vulnerable. Details and some fixes are in this message:
http://marc.theaimsgroup.com/?l=bugtraq&m=3D105172058404810&w=2


References enough? ;)

Attachment: _bin
Description: