UsePAM in /etc/ssh/sshd_config and timing attacks
Dear all
People have been complaining for too long that timings attacks are
possible because of the way OpenSSH responds to keyboard-interactive
authentication.
With the variance in the delay of response, it makes it obvious whether
the username it tries to authenticate indeed exists on the remote
machine or not.
A few days ago De Raadt sent an email to BUQTRAQ blaming this
information leakage to PAM.
So, one would expect that the directive UsePAM in the sshd configuration
file would help one get around this issue.
But although I have "UsePam no", I still see the same behavior (variance
in response time).
Can this be resolved somehow?
Cheers
-A
Reply to: