Re: SSH password authentification and delays

To: debian-security@lists.debian.org
Subject: Re: SSH password authentification and delays
From: Samu <samu@linuxasylum.net>
Date: Sat, 6 Apr 2002 18:36:29 +0200
Message-id: <[🔎] 20020406163629.GA5830@linuxasylum.net>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 004001c1dd82$52f32d00$0201a8c0@dreamscape>
References: <[🔎] 004001c1dd82$52f32d00$0201a8c0@dreamscape>

On Sat, Apr 06, 2002 at 05:47:14PM +0200, Vincent wrote:
> Hi,
> 
> I found something quite strange while fiddling with openssh on my
> firewall...
> 
> If I try to login using a valid username and a bogus password, I get a
> slight delay before getting another 'password:' prompt. However, If I use a
> bogus username _and_ a bogus password, the prompt appears immediately.
> 
> I tested this on an up-to-date woody system and a sid one, and both exhibit
> the same behavior. I cannot believe it is intended, as it could be easily
> used to guess valid usernames remotely with some kind of brute force
> scanner.
i noticed the same things if the user/pass are on a NIS server  esported
to the machine i'm logging

cya
Samuele 


-- 
Samuele Giovanni Tonon  <samu@linuxasylum.net>   http://www.linuxasylum.net/~samu/
          	Acid -- better living through chemistry.
			       Timothy Leary


-- 
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

References:
- SSH password authentification and delays
  - From: "Vincent" <dawg@wanadoo.fr>

Prev by Date: SSH password authentification and delays
Next by Date: unsubscribe
Previous by thread: SSH password authentification and delays
Next by thread: OpenSSH 3.1
Index(es):
- Date
- Thread