[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#281595: timing attack allows attacker to determine valid usernames

On Sat, Nov 27, 2004 at 05:26:50PM +0000, Colin Watson wrote:
> On Sat, Nov 20, 2004 at 01:51:55PM +1100, Darren Tucker wrote:
> > No, it's not fixed in 3.9p1.
> > 
> > The problem is not exactly the same, though.  In this case, it's partly 
> > because the keyboard-interactive code doesn't call the kbdint driver at 
> > all in this case.  The first attached patch ought to fix that.
> > 
> > With that fixed, a change to the PAM code is required because it will 
> > complete for a real user with their real password if, eg they are listed 
> > in DenyUsers.  This will result in the PAM code getting out of sync with 
> > the kbdint code, resulting in the authentication hanging.  The second 
> > patch ought to fix that.
> > 
> > I haven't done much testing of either patch, so please let me know how 
> > they go.
> 
> Thanks for this. I've backported these to 3.8.1p1, which didn't have PAM
> PasswordAuthentication; the patch is attached. It seems to work for me.
> After a bit more testing I'll upload this to unstable.

Here's a further patch on top of your openssh-pam-kbdint-leak.patch
which makes sure that attempted root logins when PermitRootLogin is not
set to yes always have the same delay (Debian bug #248747). It's the
same as you did for PAM PasswordAuthentication.

Cheers,

-- 
Colin Watson                                       [cjwatson@debian.org]
Reply to: