Re: AIX password enumeration possible

[Sven Specker <specker () rz uni-frankfurt de>]

Tested with AIX 5.1 ML05, Commercial SSH v3.2.2

Known account on yyyy set to rlogin=false, ssh allows only 1 connection attempt before error.


Case 1: Incorrect Password given.

user@xxxx:> ssh yyyy
user's password: 
warning: Authentication failed.
Disconnected; no more authentication methods available (No further authentication methods available.).


Case 2: Correct Password given.

user@xxxx:> ssh yyyy
user's password: 
warning: Authentication failed.
Disconnected; no more authentication methods available (No further authentication methods available.).


It seems as if the commercial ssh behaves differently and uses it's own messages. All r-services and telnet are no 
longer existant on our systems, so it appears to me that the easiest solution would be to use the commercial ssh and 
dump the r-services. That's seems the best way for ppl who are eligible to use the source release of the commercial 
ssh. 

Regards,

Sven Specker

-- 
__________________________________________________________________
*** Sven Specker -- University of Frankfurt Computing Center   ***
************ UNIX System Administration (NIM/Security) ***********
***** specker () rz uni-frankfurt de [Phone (+49)-69-798-25188] *****
******************************************************************
__________________________________________________________________              
                Johann Wolfgang Goethe Universitaet
                - Hochschulrechenzentrum -
                Senckenberganlage 31-33

                D-60054 Frankfurt/Main
__________________________________________________________________
______________ TeX-users do it in {groups}________________________