Bug#248747: ssh/timing issues with invalid/valid users

To: 248747@bugs.debian.org
Subject: Bug#248747: ssh/timing issues with invalid/valid users
From: Scott Dier <dieman@ringworld.org>
Date: Wed, 02 Jun 2004 13:11:38 -0500
Message-id: <[🔎] 40BE185A.1020503@ringworld.org>
Reply-to: Scott Dier <dieman@ringworld.org>, 248747@bugs.debian.org

I would recommend that this be added to a README file as a caveat ofusing this service. Provide workarounds (like using nodelay in pam andrestricting root logins via pam instead of ssh to get similar behavour)in the blurb but I don't see how the package can ensure configurationslike this don't exist.

This bug allows for an enumeration of users, which can be done on manymachines using smtp, http, and other protocols. Therefore I feel wegain very little in trying to fix this for all users, but it isimportant to note for users who want to lock their machine down.


Thanks,
--
Scott Dier <dieman@ringworld.org> KC0OBS http://www.ringworld.org/

Reply to:

Prev by Date: Bug#151102: ssh/automount
Next by Date: Bug#252649: sshd manpage unclear regarding permitopen, no-port-forwarding
Previous by thread: Bug#151102: ssh/automount
Next by thread: Bug#252649: sshd manpage unclear regarding permitopen, no-port-forwarding
Index(es):
- Date
- Thread