Bugtraq mailing list archives
Re: OpenSSH/PAM timing attack allows remote users identification
From: Marco Ivaldi <raptor () mediaservice net>
Date: Fri, 2 May 2003 15:48:00 +0200 (CEST)
On Fri, 2 May 2003, Michael Shigorin wrote:
Are you talking of CURRENT branch? 4.x use linux-PAM as well.
Yeah, i was talking about FreeBSD-current, where OpenPAM has replaced LinuxPAM, and new PAM modules have been introduced. Speaking about FreeBSD 4.x, it doesn't seem to be vulnerable to the big timing leak described in the advisory, even if doesn't uses the "nodelay" option in /etc/pam.conf. I've not furtherly investigated this behaviour. I believe, however, that all systems (FreeBSD included) are vulnerable to many smaller timing leaks, and not only in OpenSSH. But i guess this is a known problem. -- Marco Ivaldi Chief Security Officer Data Security Division @ Mediaservice.net Srl http://mediaservice.net/
Current thread:
- Re: OpenSSH/PAM timing attack allows remote users identification Ethan Benson (May 01)
- Re: OpenSSH/PAM timing attack allows remote users identification Nicolas Couture (May 02)
- Re: OpenSSH/PAM timing attack allows remote users identification Marco Ivaldi (May 05)
- <Possible follow-ups>
- Re: OpenSSH/PAM timing attack allows remote users identification Nicolas Couture (May 01)
- Re: OpenSSH/PAM timing attack allows remote users identification ilja van sprundel (May 02)
- Re: OpenSSH/PAM timing attack allows remote users identification Thilo Schulz (May 02)
- Re: OpenSSH/PAM timing attack allows remote users identification Marco Ivaldi (May 02)
- Re: OpenSSH/PAM timing attack allows remote users identification Michael Shigorin (May 02)
- Re: OpenSSH/PAM timing attack allows remote users identification Marco Ivaldi (May 02)
- Re: OpenSSH/PAM timing attack allows remote users identification Karl-Heinz Haag (May 02)