Bug#248747: Bug#281595: timing attack allows attacker to determine valid usernames
On Sun, Nov 28, 2004 at 12:37:11PM +0000, Colin Watson wrote:
> On Sat, Nov 27, 2004 at 05:26:50PM +0000, Colin Watson wrote:
> > Thanks for this. I've backported these to 3.8.1p1, which didn't have PAM
> > PasswordAuthentication; the patch is attached. It seems to work for me.
> > After a bit more testing I'll upload this to unstable.
>
> Here's a further patch on top of your openssh-pam-kbdint-leak.patch
> which makes sure that attempted root logins when PermitRootLogin is not
> set to yes always have the same delay (Debian bug #248747). It's the
> same as you did for PAM PasswordAuthentication.
... how about I actually attach it?
--
Colin Watson [cjwatson@debian.org]
Index: auth-pam.c
===================================================================
RCS file: /home/cjwatson/cvs/openssh/openssh/auth-pam.c,v
retrieving revision 1.11
diff -p -u -r1.11 auth-pam.c
--- auth-pam.c 28 Nov 2004 12:31:03 -0000 1.11
+++ auth-pam.c 28 Nov 2004 12:33:20 -0000
@@ -645,7 +645,9 @@ sshpam_respond(void *ctx, u_int num, cha
return (-1);
}
buffer_init(&buffer);
- if (sshpam_authctxt->valid)
+ if (sshpam_authctxt->valid &&
+ (sshpam_authctxt->pw->pw_uid != 0 ||
+ options.permit_root_login == PERMIT_YES))
buffer_put_cstring(&buffer, *resp);
else
buffer_put_cstring(&buffer, badpw);
Reply to: