Remote account guessing with "ssh-3.8p1-3" possible?

To: debian-ssh@lists.debian.org
Subject: Remote account guessing with "ssh-3.8p1-3" possible?
From: Erik Wasser <fuzz@c-lab.de>
Date: Wed, 2 Jun 2004 14:44:20 +0200
Message-id: <[🔎] 200406021444.20506.fuzz@c-lab.de>

Hello List,

I'm not very firm with debian so I'm would like to ask the ML before I post 
something to the BTS. I know this is not the right place, but the bug is soo 
trival that I'm afraid I'm missing maybe the real point.

Okay where we go. I'm talking about the sarge distribution in generell and the 
package "ssh-3.8p1-3 Secure rlogin/rsh/rcp replacement (OpenSSH)" in 
specific.

The computers name is "wolke":

% ssh -l root wolke
Password: <pressing RETURN>
sleeps for 3 seconds...
Password: <pressing RETURN>
sleeps for 3 seconds...
Password: <pressing RETURN>
sleeps for 3 seconds...
Permission denied (publickey,keyboard-interactive).

Everything is fine with that but now:

miro:/etc/rc3.d# ssh -l root2 miro
Password:
No(!) wait
Password:
No(!) wait
Password:
No(!) wait
Permission denied (publickey,keyboard-interactive).

"root2" doesn't exists on this computer so you can guess the user accounts on 
"wolke" and you can use this information for a real attack like password 
hacking or cracking... I tried other account names as well with the same 
results: long wait with existing users and no wait with non-existing users.

Can someone confirm this behaviour?

-- 
So long... Erik Wasser

Reply to:

Follow-Ups:
- Re: Remote account guessing with "ssh-3.8p1-3" possible?
  - From: "Adam D. Barratt" <debian-ssh@adam-barratt.org.uk>

Prev by Date: Bug#252226: [INTL:de] Updated po-file for german
Next by Date: Re: Remote account guessing with "ssh-3.8p1-3" possible?
Previous by thread: Bug#252226: [INTL:de] Updated po-file for german
Next by thread: Re: Remote account guessing with "ssh-3.8p1-3" possible?
Index(es):
- Date
- Thread