Re: Strengthen OpenSSH security?

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: Strengthen OpenSSH security?
From: Carson Gaspar <carson@xxxxxxxxxx>
Date: Wed, 19 Apr 2006 20:28:38 -0700
In-reply-to: <7.0.1.0.2.20060417223005.098d8eb0@xxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <7.0.1.0.2.20060417223005.098d8eb0@xxxxxxxxxx>

--On Monday, April 17, 2006 10:31 PM -0600 Brett Glass <brett@xxxxxxxxxx>wrote:

It seems to me that sshd should not tip its hand by returning different
responses when a user ID can be used for logins than when it can't --
allowing an attacker to focus password guessing attacks on user IDs with
which it would have a chance of gaining access. For those folks out there
who are more familiar with OpenSSH than I am: How hard would it be to
make the responses indistinguishable?

Are you running the latest version of portable OpenSSH? If not, you need toupgrade. As far as I know, there should be no more leaks of this sort inthe current code. If there are, please notify the openssh developers (andinclude your authentication configuration - your PAM modules may be leakingthe info, and there's nothing OpenSSH can do about that).


--
Carson

Follow-Ups:
- Re: Strengthen OpenSSH security?
  - From: Theo de Raadt

References:
- Strengthen OpenSSH security?
  - From: Brett Glass

Prev by Date: Re: Strengthen OpenSSH security?
Next by Date: Re: Re[3]: Bypassing ISA Server 2004 with IPv6
Previous by thread: Re: Strengthen OpenSSH security?
Next by thread: Re: Strengthen OpenSSH security?
Index(es):
- Date
- Thread