Bug#248747: ssh/timing issues with invalid/valid users
I would recommend that this be added to a README file as a caveat of
using this service. Provide workarounds (like using nodelay in pam and
restricting root logins via pam instead of ssh to get similar behavour)
in the blurb but I don't see how the package can ensure configurations
like this don't exist.
This bug allows for an enumeration of users, which can be done on many
machines using smtp, http, and other protocols. Therefore I feel we
gain very little in trying to fix this for all users, but it is
important to note for users who want to lock their machine down.
Thanks,
--
Scott Dier <dieman@ringworld.org> KC0OBS http://www.ringworld.org/
Reply to: