Bugtraq mailing list archives
Re: OpenSSH/PAM timing attack allows remote users identification
From: Ethan Benson <erbenson () alaska net>
Date: Thu, 1 May 2003 01:12:42 -0800
On Wed, Apr 30, 2003 at 04:34:27PM +0200, Marco Ivaldi wrote:
root@voodoo:~# ssh [valid_user]@lab.mediaservice.net [valid_user]@lab.mediaservice.net's password: <- arbitrary (non-null) string [2 secs delay] Permission denied, please try again. root@voodoo:~# ssh [no_such_user]@lab.mediaservice.net [no_such_user]@lab.mediaservice.net's password: <- arbitrary (non-null) string [no delay] Permission denied, please try again.
ive noticed something similar in its handling of PermitRootLogin, if this option is set to `no' you get the following behavior: $ ssh root@host root@host's password: <- arbitrary (non-null) string [2 secs delay] Permission denied, please try again.a $ ssh root@host root@host's password: <- correct root password [no delay] Permission denied, please try again. i haven't checked the current version to see if this is still true. i think you also will get no delay if DenyUsers or so is in use for accounts your testing. -- Ethan Benson http://www.alaska.net/~erbenson/
Attachment:
_bin
Description:
Current thread:
- Re: OpenSSH/PAM timing attack allows remote users identification Ethan Benson (May 01)
- Re: OpenSSH/PAM timing attack allows remote users identification Nicolas Couture (May 02)
- Re: OpenSSH/PAM timing attack allows remote users identification Marco Ivaldi (May 05)
- <Possible follow-ups>
- Re: OpenSSH/PAM timing attack allows remote users identification Nicolas Couture (May 01)
- Re: OpenSSH/PAM timing attack allows remote users identification ilja van sprundel (May 02)
- Re: OpenSSH/PAM timing attack allows remote users identification Thilo Schulz (May 02)
- Re: OpenSSH/PAM timing attack allows remote users identification Marco Ivaldi (May 02)
- Re: OpenSSH/PAM timing attack allows remote users identification Michael Shigorin (May 02)
- Re: OpenSSH/PAM timing attack allows remote users identification Marco Ivaldi (May 02)
- Re: OpenSSH/PAM timing attack allows remote users identification Karl-Heinz Haag (May 02)