Administrador DyR said: > Well. If I try to enter your host, and I am rejected after sending a > username "A", and before authenticating, I will know that I cannot log > in your server with username "A" (it's forbidden). If I found that, with > username "B", I'm not rejected until after authentication, I will know > that "B" is a valid username, and I'll try with the same "B" user, but > with different passwords. > > If the system behaves the same way for invalid and valid user names, the > bad guys won't be able to know which usernames are valid, so your > security is stronger. I have a home sarge box that I allow password auth on, and it behaves the same way whether it's a valid user, invalid user, allowed user or disallowed user. Each time I get the password prompt, and it uses the same amount of time when failing my password. So it is pretty hard for an attacker to tell if they are getting anywhere. I think older versions of openssh did not do this, but it has been fixed for a while now. -- /phil
Attachment:
signature.asc
Description: OpenPGP digital signature