SecurityFocus

OpenSSH/PAM timing attack allows remote users identification Apr 30 2003 02:34PM
Marco Ivaldi (raptor mediaservice net) (4 replies)

Re: OpenSSH/PAM timing attack allows remote users identification May 02 2003 01:15PM
Michael Shigorin (mike osdn org ua) (1 replies)

Re: OpenSSH/PAM timing attack allows remote users identification May 02 2003 01:48PM
Marco Ivaldi (raptor mediaservice net)

On Fri, 2 May 2003, Michael Shigorin wrote:

> Are you talking of CURRENT branch? 4.x use linux-PAM as well.

Yeah, i was talking about FreeBSD-current, where OpenPAM has replaced
LinuxPAM, and new PAM modules have been introduced.

Speaking about FreeBSD 4.x, it doesn't seem to be vulnerable to the big
timing leak described in the advisory, even if doesn't uses the "nodelay"
option in /etc/pam.conf. I've not furtherly investigated this behaviour.

I believe, however, that all systems (FreeBSD included) are vulnerable to
many smaller timing leaks, and not only in OpenSSH. But i guess this is a
known problem.

--
Marco Ivaldi
Chief Security Officer Data Security Division
@ Mediaservice.net Srl http://mediaservice.net/

[ reply ]

Re: OpenSSH/PAM timing attack allows remote users identification May 02 2003 12:56AM
Karl-Heinz Haag (k haag linux-ag com)

Re: OpenSSH/PAM timing attack allows remote users identification May 01 2003 03:20PM
Thilo Schulz (arny ats s bawue de) (1 replies)

Re: OpenSSH/PAM timing attack allows remote users identification May 02 2003 11:20AM
Marco Ivaldi (raptor mediaservice net)

Re: OpenSSH/PAM timing attack allows remote users identification May 01 2003 09:12AM
Ethan Benson (erbenson alaska net) (2 replies)

Re: OpenSSH/PAM timing attack allows remote users identification May 05 2003 12:55PM
Marco Ivaldi (raptor mediaservice net)

Re: OpenSSH/PAM timing attack allows remote users identification May 01 2003 06:15PM
Nicolas Couture (nc stormvault net)