Re: Remote account guessing with "ssh-3.8p1-3" possible?

To: <debian-ssh@lists.debian.org>
Subject: Re: Remote account guessing with "ssh-3.8p1-3" possible?
From: "Adam D. Barratt" <debian-ssh@adam-barratt.org.uk>
Date: Wed, 2 Jun 2004 14:00:05 +0100
Message-id: <[🔎] 09ed01c448a1$b314dd00$eb00010a@andromeda>
References: <[🔎] 200406021444.20506.fuzz@c-lab.de>

On Wednesday, June 02, 2004 1:44 PM, Erik Wasser <fuzz@c-lab.de> wrote:

> I'm not very firm with debian so I'm would like to ask the ML before
> I post something to the BTS. I know this is not the right place, but
> the bug is soo trival that I'm afraid I'm missing maybe the real
> point.
[...]
> "root2" doesn't exists on this computer so you can guess the user
> accounts on "wolke" and you can use this information for a real
> attack like password hacking or cracking... I tried other account
> names as well with the same results: long wait with existing users
> and no wait with non-existing users.

The issue is already known, and appears to be caused by PAM rather than
OpenSSH specifically.

See:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=248747
http://lab.mediaservice.net/advisory/2003-01-openssh.txt

for more information.

Regards,

Adam

Reply to:

References:
- Remote account guessing with "ssh-3.8p1-3" possible?
  - From: Erik Wasser <fuzz@c-lab.de>

Prev by Date: Remote account guessing with "ssh-3.8p1-3" possible?
Next by Date: Bug#240506: ssh/ldap
Previous by thread: Remote account guessing with "ssh-3.8p1-3" possible?
Next by thread: Bug#240506: ssh/ldap
Index(es):
- Date
- Thread