Vulnerability Development mailing list archives
Re: SSH 2.4.0/3.0.1 usernames guessable ?
From: Gordon Messmer <yinyang () eburg com>
Date: Mon, 3 Sep 2001 13:14:06 -0700 (PDT)
On Mon, 3 Sep 2001, Marco van Berkum wrote:
As we were playing a bit with some SSH versions we came across some interesting 'bugs'. I hope this is not a 'known' bug, but I wasn't able to find any documentation regarding this flaw.
...
Lets try to make a ssh connection for a non existing user: Now I try it for a existing user: A clear difference in the output.
This "bug" was fixed some time ago in OpenSSH, which will currently give the same prompts for real users and non-existant users. However, there is still a discernable difference between users that exist and those that don't in OpenSSH. If you attempt to connect as a user that exists, there will be a delay between password prompts. Connecting as a user that does not exist, the password prompts will lack the sleep() delay. Better, but not perfect. -- If I had a dollar for every brain that you don't have, I'd have one dollar. - Squidward to SpongeBob
Current thread:
- SSH 2.4.0/3.0.1 usernames guessable ? Marco van Berkum (Sep 03)
- Re: SSH 2.4.0/3.0.1 usernames guessable ? Samu (Sep 03)
- Re: SSH 2.4.0/3.0.1 usernames guessable ? Marco van Berkum (Sep 04)
- Re: SSH 2.4.0/3.0.1 usernames guessable ? quentyn (Sep 03)
- Re: SSH 2.4.0/3.0.1 usernames guessable ? Marco van Berkum (Sep 04)
- Re: SSH 2.4.0/3.0.1 usernames guessable ? Marco van Berkum (Sep 04)
- Re: SSH 2.4.0/3.0.1 usernames guessable ? quentyn (Sep 04)
- Re: SSH 2.4.0/3.0.1 usernames guessable ? Gordon Messmer (Sep 03)
- Re: SSH 2.4.0/3.0.1 usernames guessable ? Vince Hillier (Sep 04)
- Re: SSH 2.4.0/3.0.1 usernames guessable ? Marco van Berkum (Sep 04)
- Re: SSH 2.4.0/3.0.1 usernames guessable ? Vince Hillier (Sep 04)
- Re: SSH 2.4.0/3.0.1 usernames guessable ? Marco van Berkum (Sep 04)
- Message not available
- Re: SSH 2.4.0/3.0.1 usernames guessable ? Marco van Berkum (Sep 05)
- Re: SSH 2.4.0/3.0.1 usernames guessable ? Samu (Sep 03)
- <Possible follow-ups>
- RE: SSH 2.4.0/3.0.1 usernames guessable ? Liran Cohen (Sep 04)
- Re: SSH 2.4.0/3.0.1 usernames guessable ? Marco van Berkum (Sep 04)