SSH password authentification and delays
Hi,
I found something quite strange while fiddling with openssh on my
firewall...
If I try to login using a valid username and a bogus password, I get a
slight delay before getting another 'password:' prompt. However, If I use a
bogus username _and_ a bogus password, the prompt appears immediately.
I tested this on an up-to-date woody system and a sid one, and both exhibit
the same behavior. I cannot believe it is intended, as it could be easily
used to guess valid usernames remotely with some kind of brute force
scanner.
The pam_unix auth module seems to support a 'nodelay' argument, but that
does not fix the whole brute force thing.
Anyone more knowledgeable than me care to comment ?
--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: