Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SSH 2.4.0/3.0.1 usernames guessable ?

From: Marco van Berkum <m.v.berkum () obit nl>
Date: Tue, 04 Sep 2001 09:18:49 +0200
Samu wrote:


it was an old trick posted to bugtraq some time ago for openssh
( i can't give you link 'cause search function today is not working )



yeah, tried to find docu regarding this issue, didnt succeed because of
this.



anyway it can be avoided by setting ( on openssh conf )

NumberOfPasswordPrompts  1



Yes, in the commercial version there is a 'password guesses' option which
defaults to 3, but as you can see in the first example it just quits after 1
try
when its a non-existant user. Appearently this does not apply on illegal users.

grtz,
Marco van Berkum
--
GCC dpu s:--- a- C+++ US++++ P++ L+++ E---- W N o-- K w---
O- M-- V-- PS+++ PE-- Y+ PGP--- t--- 5 X R* tv++ b+++ DI-- D----
G++ e- h+ r y*
+---------------------+------------------+-------------------+
|  Marco van Berkum   |   MB17300-RIPE   | Security Engineer |
|  http://ws.obit.nl  | "Chernobyl used  | Network Admin     |
|  m.v.berkum () obit nl |     Windows"     |      UNIX         |
+---------------------+------------------+-------------------+
Previous By Date Next
Previous By Thread Next

Current thread: