UsePAM in /etc/ssh/sshd_config and timing attacks

To: debian-security@lists.debian.org
Subject: UsePAM in /etc/ssh/sshd_config and timing attacks
From: Alexandros Papadopoulos <apapadop@alumni.cmu.edu>
Date: Mon, 24 Apr 2006 08:29:46 +0300
Message-id: <[🔎] 200604240829.46848.apapadop@alumni.cmu.edu>

Dear all

People have been complaining for too long that timings attacks are 
possible because of the way OpenSSH responds to keyboard-interactive 
authentication.

With the variance in the delay of response, it makes it obvious whether 
the username it tries to authenticate indeed exists on the remote 
machine or not.

A few days ago De Raadt sent an email to BUQTRAQ blaming this 
information leakage to PAM.

So, one would expect that the directive UsePAM in the sshd configuration 
file would help one get around this issue.

But although I have "UsePam no", I still see the same behavior (variance 
in response time).

Can this be resolved somehow?

Cheers

-A

Reply to:

Prev by Date: Re: Logauswertung
Next by Date: Re: Logauswertung
Previous by thread: Re: Logauswertung (en translation)
Next by thread: Re: [SECURITY] [DSA 1041-1] New abc2ps packages fix arbitrary code execution
Index(es):
- Date
- Thread