SSH password authentification and delays

To: <debian-security@lists.debian.org>
Subject: SSH password authentification and delays
From: "Vincent" <dawg@wanadoo.fr>
Date: Sat, 6 Apr 2002 17:47:14 +0200
Message-id: <[🔎] 004001c1dd82$52f32d00$0201a8c0@dreamscape>

Hi,

I found something quite strange while fiddling with openssh on my
firewall...

If I try to login using a valid username and a bogus password, I get a
slight delay before getting another 'password:' prompt. However, If I use a
bogus username _and_ a bogus password, the prompt appears immediately.

I tested this on an up-to-date woody system and a sid one, and both exhibit
the same behavior. I cannot believe it is intended, as it could be easily
used to guess valid usernames remotely with some kind of brute force
scanner.

The pam_unix auth module seems to support a 'nodelay' argument, but that
does not fix the whole brute force thing.

Anyone more knowledgeable than me care to comment ?





-- 
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: SSH password authentification and delays
  - From: Samu <samu@linuxasylum.net>

Prev by Date: Re: on potato's proftpd
Next by Date: Re: SSH password authentification and delays
Previous by thread: Re: fswcert
Next by thread: Re: SSH password authentification and delays
Index(es):
- Date
- Thread