Bug#99168: marked as done (ssh: identifying root's password by measuring password-failure delays)

To: Colin Watson <cjwatson@debian.org>
Cc: Matthew Vernon <matthew@debian.org>
Subject: Bug#99168: marked as done (ssh: identifying root's password by measuring password-failure delays)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Wed, 03 Sep 2003 15:48:30 -0500
Message-id: <[🔎] handler.99168.D99168.106262154522220.ackdone@bugs.debian.org>
In-reply-to: <E19ueCc-0005eH-00@auric.debian.org>
References: <E19ueCc-0005eH-00@auric.debian.org> <E154mwn-0001lI-00@oskar>

Your message dated Wed, 03 Sep 2003 16:26:06 -0400
with message-id <E19ueCc-0005eH-00@auric.debian.org>
and subject line Bug#99168: fixed in openssh 1:3.6.1p2-6
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 29 May 2001 17:04:29 +0000
>From osk@hem.passagen.se Tue May 29 12:04:29 2001
Return-path: <osk@hem.passagen.se>
Received: from mail2.passagen.se [195.163.107.11] 
	by master.debian.org with esmtp (Exim 3.12 1 (Debian))
	id 154muy-0000YU-00; Tue, 29 May 2001 12:04:28 -0500
Received: from oskar (mail@as2-1-6.lh.m.bonet.se [194.236.130.162]) by mail2.passagen.se (8.9.3/8.9.3/1.22)
	with ESMTP id <TAA16759> for <submit@bugs.debian.org>; Tue, 29 May 2001 19:04:22 +0200 (MET DST)
Received: from usel by oskar with local (Exim 3.22 #1 (Debian))
	id 154mwn-0001lI-00; Tue, 29 May 2001 19:06:21 +0200
From: Oskar Liljeblad <osk@hem.passagen.se>
Subject: ssh: identifying root's password by measuring password-failure delays
To: submit@bugs.debian.org
X-Mailer: bug 3.3.9
Message-Id: <E154mwn-0001lI-00@oskar>
Sender: Oskar Liljeblad <usel@oskar>
Date: Tue, 29 May 2001 19:06:21 +0200
Delivered-To: submit@bugs.debian.org

Package: ssh
Version: 1:2.5.2p2-2.1
Severity: normal

I don't know how to categorise this behaviour, but I consider
it a bug. (If not a bug, at least mention it in README.Debian.)

Logging in with root through ssh is not possible in the default
configuration of openssh in Debian. However, when you try to log
in as root, and use root's correct password, you will _immediately_
be presented with this message:

  Permission denied, please try again.

Normally (as in the case when you enter an invalid password, even
for root), that message is first printed after a 1-2 second delay.

Oskar Liljeblad (osk@hem.passagen.se)

-- System Information
Debian Release: testing/unstable
Kernel Version: Linux oskar 2.2.19 #1 SMP Wed May 9 08:10:45 CEST 2001 i686 unknown

Versions of the packages ssh depends on:
ii  debconf        0.9.62         Debian configuration management system
ii  libc6          2.2.3-1        GNU C Library: Shared libraries and Timezone
ii  libpam-modules 0.72-24        Pluggable Authentication Modules for PAM
ii  libpam0g       0.72-24        Pluggable Authentication Modules library
ii  libssl0.9.6    0.9.6-2        SSL shared libraries
ii  libwrap0       7.6-7          Wietse Venema's TCP wrappers library
ii  zlib1g         1.1.3-15       compression library - runtime

---------------------------------------
Received: (at 99168-close) by bugs.debian.org; 3 Sep 2003 20:39:05 +0000
>From katie@auric.debian.org Wed Sep 03 15:39:02 2003
Return-path: <katie@auric.debian.org>
Received: from auric.debian.org [206.246.226.45] 
	by master.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 19ueP6-0005lb-00; Wed, 03 Sep 2003 15:39:00 -0500
Received: from katie by auric.debian.org with local (Exim 3.35 1 (Debian))
	id 19ueCc-0005eH-00; Wed, 03 Sep 2003 16:26:06 -0400
From: Colin Watson <cjwatson@debian.org>
To: 99168-close@bugs.debian.org
X-Katie: $Revision: 1.35 $
Subject: Bug#99168: fixed in openssh 1:3.6.1p2-6
Message-Id: <E19ueCc-0005eH-00@auric.debian.org>
Sender: Archive Administrator <katie@auric.debian.org>
Date: Wed, 03 Sep 2003 16:26:06 -0400
Delivered-To: 99168-close@bugs.debian.org

Source: openssh
Source-Version: 1:3.6.1p2-6

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive:

openssh_3.6.1p2-6.diff.gz
  to pool/main/o/openssh/openssh_3.6.1p2-6.diff.gz
openssh_3.6.1p2-6.dsc
  to pool/main/o/openssh/openssh_3.6.1p2-6.dsc
ssh-askpass-gnome_3.6.1p2-6_i386.deb
  to pool/main/o/openssh/ssh-askpass-gnome_3.6.1p2-6_i386.deb
ssh_3.6.1p2-6_i386.deb
  to pool/main/o/openssh/ssh_3.6.1p2-6_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 99168@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed,  3 Sep 2003 19:14:02 +0100
Source: openssh
Binary: ssh-askpass-gnome ssh
Architecture: source i386
Version: 1:3.6.1p2-6
Distribution: unstable
Urgency: medium
Maintainer: Matthew Vernon <matthew@debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description: 
 ssh        - Secure rlogin/rsh/rcp replacement (OpenSSH)
 ssh-askpass-gnome - under X, asks user for a passphrase for ssh-add
Closes: 99168 192207 193546 197576 208036
Changes: 
 openssh (1:3.6.1p2-6) unstable; urgency=medium
 .
   * Use a more CVS-friendly means of setting SSH_VERSION.
   * Update Brazilian Portuguese debconf template translation (thanks, Andre
     Luis Lopes; closes: #208036).
   * Don't run 'sshd -t' in init script if the server isn't to be run
     (closes: #197576).
   * Fix login delay, spurious auth.log entry, and PermitRootLogin
     information leakage due to PAM issues with upstream's recent security
     update (thanks, Darren Tucker; closes: #99168, #192207, #193546).
   * Policy version 3.6.1: recode this changelog to UTF-8.
Files: 
 79a152667d63253e2086fa31f78425f1 847 net standard openssh_3.6.1p2-6.dsc
 0ed10571bcc3518bd5c10fd8f6418438 80668 net standard openssh_3.6.1p2-6.diff.gz
 5ae4629042fc19ef0f5b422ddc5bd6e2 645280 net standard ssh_3.6.1p2-6_i386.deb
 9a738e3aa3c8bd9512e5166772b4b65e 42648 gnome optional ssh-askpass-gnome_3.6.1p2-6_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Colin Watson <cjwatson@debian.org> -- Debian developer

iD8DBQE/VjhV9t0zAhD6TNERAnPdAJwJY8w0hKP7YjqCIXX88LtblA9sggCeMSar
uMuo5E2Omu+KC+f0zFA50xc=
=Lwmi
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: Accepted openssh 1:3.6.1p2-6 (i386 source)
Next by Date: Bug#197576: marked as done (ssh: Should not run "sshd -t" if sshd_not_to_be_run exists.)
Previous by thread: Accepted openssh 1:3.6.1p2-6 (i386 source)
Next by thread: Bug#197576: marked as done (ssh: Should not run "sshd -t" if sshd_not_to_be_run exists.)
Index(es):
- Date
- Thread