oss-sec mailing list archives
Re: About OpenSSH "user enumeration" / CVE-2018-15473
From: Damien Miller <djm () mindrot org>
Date: Sun, 26 Aug 2018 18:04:50 +1000 (AEST)
On Sat, 25 Aug 2018, Solar Designer wrote:
This could mean an extra getpwnam(3) call, which is a slightly greater timing leak than what's present in one call. That may be further mitigated by always doing two calls. Of course, this won't be anywhere near timing-safe anyway. Now, it can be tricky to pick a specific fallback username in OpenSSH-portable that we'd be OK with all non-existent usernames to behave similarly to. "root" may somewhat likely have unusual password hash (like it historically did on OpenBSD); "nobody" likely has its password locked (but maybe that's OK - it is in fact common for SSH users to have only public keys setup, and no passwords). Maybe there should be a way to override this dummy username in sshd_config.
That sounds like a fair amount of complexity in return for scant benefit: at best you dodge a few (IMO uninteresting) bugs, but now you are guaranteed to have all your authz code exposed to a the attacker. Moreover, using a "real fake" account gives a timing / system behaviour baseline too. It might be harder to discern, but techniques for making remote observations of subtle system side-channels are scarily well- developed, and I'm sure that it would be pretty easy to spot if people applied them. -d
Current thread:
- About OpenSSH "user enumeration" / CVE-2018-15473 Damien Miller (Aug 24)
- Re: About OpenSSH "user enumeration" / CVE-2018-15473 Solar Designer (Aug 24)
- Re: Re: About OpenSSH "user enumeration" / CVE-2018-15473 Damien Miller (Aug 25)
- Re: About OpenSSH "user enumeration" / CVE-2018-15473 Solar Designer (Aug 25)
- Re: About OpenSSH "user enumeration" / CVE-2018-15473 Damien Miller (Aug 26)
- Re: About OpenSSH "user enumeration" / CVE-2018-15473 Solar Designer (Aug 26)
- Re: Re: About OpenSSH "user enumeration" / CVE-2018-15473 Damien Miller (Aug 25)
- Re: About OpenSSH "user enumeration" / CVE-2018-15473 Solar Designer (Aug 24)