lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 19 Apr 2006 20:28:38 -0700
From: Carson Gaspar <carson@...tos.org>
To: bugtraq@...urityfocus.com
Subject: Re: Strengthen OpenSSH security?


--On Monday, April 17, 2006 10:31 PM -0600 Brett Glass <brett@...iat.org> 
wrote:

> It seems to me that sshd should not tip its hand by returning different
> responses when a user ID can be used for logins than when it can't --
> allowing an attacker to focus password guessing attacks on user IDs with
> which it would have a chance of gaining access. For those folks out there
> who are more familiar with OpenSSH than I am: How hard would it be to
> make the responses indistinguishable?

Are you running the latest version of portable OpenSSH? If not, you need to 
upgrade. As far as I know, there should be no more leaks of this sort in 
the current code. If there are, please notify the openssh developers (and 
include your authentication configuration - your PAM modules may be leaking 
the info, and there's nothing OpenSSH can do about that).

-- 
Carson

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ