Vulnerability Development mailing list archives
Re: SSH 2.4.0/3.0.1 usernames guessable ?
From: Marco van Berkum <m.v.berkum () obit nl>
Date: Tue, 04 Sep 2001 09:18:49 +0200
Samu wrote:
it was an old trick posted to bugtraq some time ago for openssh ( i can't give you link 'cause search function today is not working )
yeah, tried to find docu regarding this issue, didnt succeed because of this.
anyway it can be avoided by setting ( on openssh conf ) NumberOfPasswordPrompts 1
Yes, in the commercial version there is a 'password guesses' option which defaults to 3, but as you can see in the first example it just quits after 1 try when its a non-existant user. Appearently this does not apply on illegal users. grtz, Marco van Berkum -- GCC dpu s:--- a- C+++ US++++ P++ L+++ E---- W N o-- K w--- O- M-- V-- PS+++ PE-- Y+ PGP--- t--- 5 X R* tv++ b+++ DI-- D---- G++ e- h+ r y* +---------------------+------------------+-------------------+ | Marco van Berkum | MB17300-RIPE | Security Engineer | | http://ws.obit.nl | "Chernobyl used | Network Admin | | m.v.berkum () obit nl | Windows" | UNIX | +---------------------+------------------+-------------------+
Current thread:
- SSH 2.4.0/3.0.1 usernames guessable ? Marco van Berkum (Sep 03)
- Re: SSH 2.4.0/3.0.1 usernames guessable ? Samu (Sep 03)
- Re: SSH 2.4.0/3.0.1 usernames guessable ? Marco van Berkum (Sep 04)
- Re: SSH 2.4.0/3.0.1 usernames guessable ? quentyn (Sep 03)
- Re: SSH 2.4.0/3.0.1 usernames guessable ? Marco van Berkum (Sep 04)
- Re: SSH 2.4.0/3.0.1 usernames guessable ? Marco van Berkum (Sep 04)
- Re: SSH 2.4.0/3.0.1 usernames guessable ? quentyn (Sep 04)
- Re: SSH 2.4.0/3.0.1 usernames guessable ? Gordon Messmer (Sep 03)
- Re: SSH 2.4.0/3.0.1 usernames guessable ? Vince Hillier (Sep 04)
- Re: SSH 2.4.0/3.0.1 usernames guessable ? Marco van Berkum (Sep 04)
- Re: SSH 2.4.0/3.0.1 usernames guessable ? Vince Hillier (Sep 04)
- Re: SSH 2.4.0/3.0.1 usernames guessable ? Marco van Berkum (Sep 04)
- Message not available
- Re: SSH 2.4.0/3.0.1 usernames guessable ? Marco van Berkum (Sep 05)
- Re: SSH 2.4.0/3.0.1 usernames guessable ? Samu (Sep 03)
- <Possible follow-ups>
- RE: SSH 2.4.0/3.0.1 usernames guessable ? Liran Cohen (Sep 04)