Bug#281595: timing attack allows attacker to determine valid usernames

[Colin Watson <cjwatson@debian.org>]

On Tue, Nov 16, 2004 at 03:11:07PM -0500, Joey Hess wrote:
> Package: ssh
> Version: 1:3.8.1p1-8.sarge.2
> Severity: serious
> Tags: security
> 
> CAN-2003-0190 describes a flaw in ssh's password prompt timing which
> makes it easy for an attacker to determine if a username exists on a
> machine. I've checked and testing and unstable's versions of ssh are
> vulnerable. Details and some fixes are in this message:
> http://marc.theaimsgroup.com/?l=bugtraq&m=105172058404810&w=2
> 
> Feel free to downgrade this bug if you don't feel it's a real security
> problem or not RC. I assume upstream must not, since the problem has not
> been fixed in over a year. Of course, upstream problably doesn't use ssh
> in the vulnerable configuration, with pam.

I think it's been somewhat fixed upstream (where upstream == portable),
actually:

20040530
 [...]
 - (dtucker) [auth-pam.c] Use an invalid password for root if
   PermitRootLogin != yes or the login is invalid, to prevent leaking
   information.  Based on Openwall's owl-always-auth patch.  ok djm@

However, that's only PAM password authentication, and
keyboard-interactive is relevant too. Darren, do you happen to know if
kbdint has been fixed in the same way in 3.9p1? I don't see anything
obvious in CVS.

Thanks,

-- 
Colin Watson                                       [cjwatson@debian.org]