Re: SSH 2.4.0/3.0.1 usernames guessable ?

[Gordon Messmer <yinyang () eburg com>]

On Mon, 3 Sep 2001, Marco van Berkum wrote:

> As we were playing a bit with some SSH versions we
> came across some interesting 'bugs'. I hope this is not
> a 'known' bug, but I wasn't able to find any documentation
> regarding this flaw.
...
> Lets try to make a ssh connection for a non existing user:
> Now I try it for a existing user:
> A clear difference in the output.

This "bug" was fixed some time ago in OpenSSH, which will currently give
the same prompts for real users and non-existant users.

However, there is still a discernable difference between users that exist
and those that don't in OpenSSH.  If you attempt to connect as a user that
exists, there will be a delay between password prompts.  Connecting
as a user that does not exist, the password prompts will lack the sleep()
delay.

Better, but not perfect.

-- 
If I had a dollar for every brain that you don't have,
        I'd have one dollar. - Squidward to SpongeBob