Re: Re: About OpenSSH "user enumeration" / CVE-2018-15473

[Damien Miller <djm () mindrot org>]

On Fri, 24 Aug 2018, Solar Designer wrote:

> Hi Damien,
>
> Thank you for sharing these thoughts with the community.
>
> On Fri, Aug 24, 2018 at 10:58:20AM +1000, Damien Miller wrote:
> > Finally, and perhaps most importantly: there's a fundamental tradeoff
> > between attack surface and fixing this class of bug. As a concrete
> > example, fixing this one added about 150 lines of code to our
> > pre-authentication attack surface. In this case, we were willing to do
> > this because we had confidence in the additional parsing, mostly because
> > it's been reviewed several times and we've conducted a decent amount of
> > fuzzing on it. But, given the choice between leaving a known account
> > validity oracle or exposing something we don't trust, we'll choose the
> > former every time.
>
> Can you summarize for us all (on these mailing lists) the commits
> leading to OpenSSH 7.8 that deal with this issue and add "about 150
> lines of code", please? 

It's this one:

>  * sshd(8): avoid observable differences in request parsing that could
>    be used to determine whether a target user is valid.

(Commit 74287f5df9)

Note that there's no new code added, but delaying the checks means more
code is exposed before the authentication handler bails out.

-d