Bug#248747: sshd: no delay on successful root login with permitroot = no
Package: ssh
Version: 1:3.8p1-3
Severity: normal
Hello,
I found this bug and googled for it to get more informations, The
following link is a security advisory mentionning it::
http://lab.mediaservice.net/advisory/2003-01-openssh.txt
Basicly, if user root is not authorized to connect to ssh, if you enter
the correct password you will have no delay before the "password:"
prompt is shown again.
An attacker could then bruteforce the ssh login and just time the server
answer, if the answer is fastly given back, the password tried is the
correct one.
Many thanks for maintning this package btw, it works well :o)
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.4.25-1-k7
Locale: LANG=C, LC_CTYPE=C
Versions of packages ssh depends on:
ii adduser 3.52 Add and remove users and groups
ii debconf 1.4.22 Debian configuration management sy
ii dpkg 1.10.21 Package maintenance system for Deb
ii libc6 2.3.2.ds1-12 GNU C Library: Shared libraries an
ii libpam-modules 0.76-19 Pluggable Authentication Modules f
ii libpam-runtime 0.76-19 Runtime support for the PAM librar
ii libpam0g 0.76-19 Pluggable Authentication Modules l
ii libssl0.9.7 0.9.7d-1 SSL shared libraries
ii libwrap0 7.6.dbs-3 Wietse Venema's TCP wrappers libra
ii zlib1g 1:1.2.1-5 compression library - runtime
-- debconf information:
* ssh/privsep_tell:
ssh/insecure_rshd:
ssh/privsep_ask: true
ssh/ssh2_keys_merged:
* ssh/user_environment_tell:
* ssh/forward_warning:
ssh/insecure_telnetd:
ssh/new_config: true
* ssh/use_old_init_script: true
* ssh/protocol2_only: true
ssh/encrypted_host_key_but_no_keygen:
* ssh/run_sshd: true
* ssh/SUID_client: true
Reply to: