Re: Putty 0.45 vs. SSH Login
On Sun, 05 May 2002, Tim van Erven wrote:
> On Sun, May 05, 2002 at 02:49:56PM +0200, Vincent Hanquez <tab@crans.org> wrote:
> > On Sun, May 05, 2002 at 09:33:36AM +0300, Rauno Linnam?e wrote:
> >> When PermitRootLogin is set to no in /etc/ssh/sshd_config (as it
> >> should be), tryimg to log in as root using PuTTY 0.45: 1. after typing
> >> the correct password, the "Access denied" message line is returned
> >> immediately
> >
> > it's in my humble opinion normal, because the acces denied is done by
> > sshd and not by PAM
>
> It may be normal and even expected behaviour, but it's still an
> information leak and therefore a potential security issue.
Fixing this one is quite difficult. If you go through another code path in
ssh for blocked and non-blocked logins, which does not call PAM, you will
have other problems (because it is non-obvious that the PAM modules will
never get called).
The best bet would have to move the delay out of PAM (always using nodelay
in the ssh PAM file) into ssh, I suppose.
--
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot
Henrique Holschuh
--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: