SecurityFocus

Strengthen OpenSSH security? Apr 18 2006 04:31AM
Brett Glass (brett lariat org) (6 replies)

Re: Strengthen OpenSSH security? Apr 20 2006 11:47AM
c0redump ackers org uk

Re: Strengthen OpenSSH security? Apr 20 2006 05:13AM
Damien Miller (djm mindrot org)

Re: Strengthen OpenSSH security? Apr 20 2006 04:33AM
MaddHatter maddhatt+bugtraq (at) cat.pdx (dot) edu [email concealed] (maddhatt+bugtraq cat pdx edu)

Re: Strengthen OpenSSH security? Apr 20 2006 04:03AM
Kd (kilrathi gmail com)

Re: Strengthen OpenSSH security? Apr 20 2006 03:28AM
Carson Gaspar (carson taltos org) (1 replies)

--On Monday, April 17, 2006 10:31 PM -0600 Brett Glass <brett (at) lariat (dot) org [email concealed]>
wrote:

> It seems to me that sshd should not tip its hand by returning different
> responses when a user ID can be used for logins than when it can't --
> allowing an attacker to focus password guessing attacks on user IDs with
> which it would have a chance of gaining access. For those folks out there
> who are more familiar with OpenSSH than I am: How hard would it be to
> make the responses indistinguishable?

Are you running the latest version of portable OpenSSH? If not, you need to
upgrade. As far as I know, there should be no more leaks of this sort in
the current code. If there are, please notify the openssh developers (and
include your authentication configuration - your PAM modules may be leaking
the info, and there's nothing OpenSSH can do about that).

--
Carson

[ reply ]

Re: Strengthen OpenSSH security? Apr 21 2006 01:15AM
Theo de Raadt (deraadt cvs openbsd org)

Re: Strengthen OpenSSH security? Apr 20 2006 03:21AM
Mike Hoskins (mhoskins e2open com)