BugTraq
OpenSSH/PAM timing attack allows remote users identification Apr 30 2003 02:34PM
Marco Ivaldi (raptor mediaservice net) (4 replies)
Re: OpenSSH/PAM timing attack allows remote users identification May 02 2003 01:15PM
Michael Shigorin (mike osdn org ua) (1 replies)
Re: OpenSSH/PAM timing attack allows remote users identification May 02 2003 01:48PM
Marco Ivaldi (raptor mediaservice net)
Re: OpenSSH/PAM timing attack allows remote users identification May 02 2003 12:56AM
Karl-Heinz Haag (k haag linux-ag com)
Re: OpenSSH/PAM timing attack allows remote users identification May 01 2003 03:20PM
Thilo Schulz (arny ats s bawue de) (1 replies)
Re: OpenSSH/PAM timing attack allows remote users identification May 02 2003 11:20AM
Marco Ivaldi (raptor mediaservice net)
Re: OpenSSH/PAM timing attack allows remote users identification May 01 2003 09:12AM
Ethan Benson (erbenson alaska net) (2 replies)
Re: OpenSSH/PAM timing attack allows remote users identification May 05 2003 12:55PM
Marco Ivaldi (raptor mediaservice net)
Re: OpenSSH/PAM timing attack allows remote users identification May 01 2003 06:15PM
Nicolas Couture (nc stormvault net)
On Thu, 2003-05-01 at 05:12, Ethan Benson wrote:
> On Wed, Apr 30, 2003 at 04:34:27PM +0200, Marco Ivaldi wrote:
> > root@voodoo:~# ssh [valid_user]@lab.mediaservice.net
> > [valid_user]@lab.mediaservice.net's password: <- arbitrary (non-null) string
> > [2 secs delay]
> > Permission denied, please try again.
> >
> > root@voodoo:~# ssh [no_such_user]@lab.mediaservice.net
> > [no_such_user]@lab.mediaservice.net's password: <- arbitrary (non-null) string
> > [no delay]
> > Permission denied, please try again.
>
> ive noticed something similar in its handling of PermitRootLogin, if
> this option is set to `no' you get the following behavior:

This is not only true in association with the ssh daemon's
configuration. Even if root login is allowed in it's configuration but
pam disallow root logins, it'll result in a 2 seconds delay on bad
password and reject instantly good password instead of login.

The problem is not in the handling of PermitRootLogin but in the
handling of login in sshd, adding a 2 seconds delay before login or
removing the 2 seconds delay on bad login before sending an error would
fix the problem.

> $ ssh root@host
> root@host's password: <- arbitrary (non-null) string
> [2 secs delay]
> Permission denied, please try again.a
>
> $ ssh root@host
> root@host's password: <- correct root password
> [no delay]
> Permission denied, please try again.
>
> i haven't checked the current version to see if this is still true.

I verified this on redhat 8, openssh-3.4p1-2(rpm) and sshd is acting
just like you described it.

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus