RE: SSH 2.4.0/3.0.1 usernames guessable ?

[Liran Cohen <Theog () ParadigmGeo com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Well that is the case with most of the network applications except
apache (the ones I encountered) , however there is tool called
Languard port scanner which can show you host responses,(relly
kneet), If it bothers you I'm sure you can always download the ssh
source code and change that response (just search for the string....)

TheOg

Liran Cohen
e-mail:LiranC () Paradigmgeo com
Tel. office:+972-9-9709387
FAX.:+972-9-9709365
Tel. mobile:+972-54-898817 

- -----Original Message-----
From: quentyn () fotango com [mailto:quentyn () fotango com]
Sent: Monday, September 03, 2001 6:53 PM
To: m.v.berkum () obit nl
Cc: vuln
Subject: Re: SSH 2.4.0/3.0.1 usernames guessable ?


This does appear to be the default in both configs

I saw this in ssh2.40 an assumed that I was going mad ;o) (then
promptly
forgot about it)

I can confirm your results in rh 6.2 - 7.1

you could set 

        PasswordGuesses                 3

to 1 (annoying) in the /etc/sshd2/sshd_config


I would report this to the people at ssh.com as they will respond (in
my
experience) quickly



Q

- -- 
#####################
Quentyn Taylor
Sysadmin - Fotango
#####################
"Usenet is like a herd of performing elephants with diarrhea --
massive,
difficult to redirect,
awe-inspiring, entertaining, and a source of mind- boggling amounts
of
excrement when you
least expect it." 
   Gene "spaf" Spafford (1992)

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBO5SoqyXZhGjHgDflEQJL0wCg1+l4lhW7Rp8G6UWhYqyOKd2AhIEAoOcU
n7QiDmStlHG7IayMlqIrSNYU
=evV0
-----END PGP SIGNATURE-----

Attachment: Liran Cohen.vcf
Description: