Vulnerability Development mailing list archives
Re: SSH 2.4.0/3.0.1 usernames guessable ?
From: Vince Hillier <vince () vince lansystems com>
Date: 04 Sep 2001 16:20:46 -0500
Just installed ssh.com's SSH 2.4.0 for testing, and I have gotten the same results as Marco Van Berkum, the tests were done with the default configuration file for sshd2 v2.4.0. bash-2.05$ ssh -V ssh: SSH Secure Shell 2.4.0 (non-commercial version) Failed login with valid username... bash-2.05$ ssh -l vince localhost -p 22 vince's password: vince's password: vince's password: warning: Authentication failed. Disconnected; no more authentication methods available (No further authentication methods available.). Failed login with invalid username... bash-2.05$ ssh -l 123james321 localhost -p 22 123james321's password: warning: Authentication failed. Disconnected; connection lost (Connection closed.). Failed scp session with valid username... bash-2.05$ touch test bash-2.05$ scp test vince@localhost#22:/home/vince/test2 vince@localhost's password: vince@localhost's password: vince@localhost's password: scp: warning: ssh2 client failed to authenticate. (or you have too old ssh2 installed, check with ssh2 -V) warning: Authentication failed. Disconnected; no more authentication methods available (No further authentication methods available.). scp: warning: child process (ssh2) exited with code 1. Failed scp session with invalid username... bash-2.05$ scp test 123james321@localhost#22:/home/vince/test2 123james321@localhost's password: scp: warning: ssh2 client failed to authenticate. (or you have too old ssh2 installed, check with ssh2 -V) warning: Authentication failed. Disconnected; connection lost (Connection closed.). scp: warning: child process (ssh2) exited with code 1. However I am still getting the same results as I did initially with SSH 3.0.1, can anyone confirm this? I reinstalled SSH 3.0.1 and ran it with the default configuration... I am still getting this... bash-2.05$ ssh -V ssh: SSH Secure Shell 3.0.1 (non-commercial version Failed login with valid username... bash-2.05$ ssh -l vince localhost -p 22 vince's password: vince's password: vince's password: warning: Authentication failed. Disconnected; no more authentication methods available (No further authentication methods available.). Failed login with invalid username... bash-2.05$ ssh -l 123james321 localhost -p 22 123james321's password: 123james321's password: 123james321's password: warning: Authentication failed. Disconnected; no more authentication methods available (No further authentication methods available.). Failed scp session with valid username... bash-2.05$ scp test vince@localhost#22:/home/vince/test2 vince@localhost's password: vince@localhost's password: vince@localhost's password: scp: warning: ssh2 client failed to authenticate. (or you have too old ssh2 installed, check with ssh2 -V) warning: Authentication failed. Disconnected; no more authentication methods available (No further authentication methods available.). scp: warning: child process (/usr/local/bin/ssh2) exited with code 1. Failed scp session with invalid username... bash-2.05$ scp test 123james321@localhost#22:/home/vince/test2 123james321@localhost's password: 123james321@localhost's password: 123james321@localhost's password: scp: warning: ssh2 client failed to authenticate. (or you have too old ssh2 installed, check with ssh2 -V) warning: Authentication failed. Disconnected; no more authentication methods available (No further authentication methods available.). scp: warning: child process (/usr/local/bin/ssh2) exited with code 1. On Tue, 2001-09-04 at 02:22, Marco van Berkum wrote:
Vince Hillier wrote:This doesn't seem to be present in ssh.com's SSH 3.0.1...Hmm strange, with 3.0.1. I did get a slightly different output with several tries. Coincidence? The 2.4.0 is guessable in pretty much any way you try . grtz, Marco van Berkum -- GCC dpu s:--- a- C+++ US++++ P++ L+++ E---- W N o-- K w--- O- M-- V-- PS+++ PE-- Y+ PGP--- t--- 5 X R* tv++ b+++ DI-- D---- G++ e- h+ r y* +---------------------+------------------+-------------------+ | Marco van Berkum | MB17300-RIPE | Security Engineer | | http://ws.obit.nl | "Chernobyl used | Network Admin | | m.v.berkum () obit nl | Windows" | UNIX | +---------------------+------------------+-------------------+
Current thread:
- SSH 2.4.0/3.0.1 usernames guessable ? Marco van Berkum (Sep 03)
- Re: SSH 2.4.0/3.0.1 usernames guessable ? Samu (Sep 03)
- Re: SSH 2.4.0/3.0.1 usernames guessable ? Marco van Berkum (Sep 04)
- Re: SSH 2.4.0/3.0.1 usernames guessable ? quentyn (Sep 03)
- Re: SSH 2.4.0/3.0.1 usernames guessable ? Marco van Berkum (Sep 04)
- Re: SSH 2.4.0/3.0.1 usernames guessable ? Marco van Berkum (Sep 04)
- Re: SSH 2.4.0/3.0.1 usernames guessable ? quentyn (Sep 04)
- Re: SSH 2.4.0/3.0.1 usernames guessable ? Gordon Messmer (Sep 03)
- Re: SSH 2.4.0/3.0.1 usernames guessable ? Vince Hillier (Sep 04)
- Re: SSH 2.4.0/3.0.1 usernames guessable ? Marco van Berkum (Sep 04)
- Re: SSH 2.4.0/3.0.1 usernames guessable ? Vince Hillier (Sep 04)
- Re: SSH 2.4.0/3.0.1 usernames guessable ? Marco van Berkum (Sep 04)
- Message not available
- Re: SSH 2.4.0/3.0.1 usernames guessable ? Marco van Berkum (Sep 05)
- Re: SSH 2.4.0/3.0.1 usernames guessable ? Samu (Sep 03)
- <Possible follow-ups>
- RE: SSH 2.4.0/3.0.1 usernames guessable ? Liran Cohen (Sep 04)
- Re: SSH 2.4.0/3.0.1 usernames guessable ? Marco van Berkum (Sep 04)