[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#248747: marked as done (sshd: no delay on successful root login with permitroot = no)



Your message dated Sun, 28 Nov 2004 09:32:17 -0500
with message-id <E1CYQ65-0000K9-00@newraff.debian.org>
and subject line Bug#248747: fixed in openssh 1:3.8.1p1-8.sarge.4
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 12 May 2004 23:02:07 +0000
>From hashar@twenkill.dyndns.org Wed May 12 16:02:07 2004
Return-path: <hashar@twenkill.dyndns.org>
Received: from ip-82.net-81-220-149.rev.numericable.fr (bihash) [81.220.149.82] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1BO2jn-0003gf-00; Wed, 12 May 2004 16:02:07 -0700
Received: from hashar by bihash with local (Exim 3.36 #1 (Debian))
	id 1BO2jn-0001CR-00; Thu, 13 May 2004 01:02:07 +0200
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Ashar Voultoiz <thoane@altern.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: sshd: no delay on successful root login with permitroot = no
X-Mailer: reportbug 2.58
Date: Thu, 13 May 2004 01:02:07 +0200
Message-Id: <E1BO2jn-0001CR-00@bihash>
Sender: Ashar Voultoiz <hashar@twenkill.dyndns.org>
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-7.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
	autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level: 
X-CrossAssassin-Score: 1

Package: ssh
Version: 1:3.8p1-3
Severity: normal


Hello,

I found this bug and googled for it to get more informations, The
following link is a security advisory mentionning it::
http://lab.mediaservice.net/advisory/2003-01-openssh.txt

Basicly, if user root is not authorized to connect to ssh, if you enter
the correct password you will have no delay before the "password:"
prompt is shown again.
An attacker could then bruteforce the ssh login and just time the server
answer, if the answer is fastly given back, the password tried is the
correct one.


Many thanks for maintning this package btw, it works well :o)


-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.4.25-1-k7
Locale: LANG=C, LC_CTYPE=C

Versions of packages ssh depends on:
ii  adduser                     3.52         Add and remove users and groups
ii  debconf                     1.4.22       Debian configuration management sy
ii  dpkg                        1.10.21      Package maintenance system for Deb
ii  libc6                       2.3.2.ds1-12 GNU C Library: Shared libraries an
ii  libpam-modules              0.76-19      Pluggable Authentication Modules f
ii  libpam-runtime              0.76-19      Runtime support for the PAM librar
ii  libpam0g                    0.76-19      Pluggable Authentication Modules l
ii  libssl0.9.7                 0.9.7d-1     SSL shared libraries
ii  libwrap0                    7.6.dbs-3    Wietse Venema's TCP wrappers libra
ii  zlib1g                      1:1.2.1-5    compression library - runtime

-- debconf information:
* ssh/privsep_tell: 
  ssh/insecure_rshd: 
  ssh/privsep_ask: true
  ssh/ssh2_keys_merged: 
* ssh/user_environment_tell: 
* ssh/forward_warning: 
  ssh/insecure_telnetd: 
  ssh/new_config: true
* ssh/use_old_init_script: true
* ssh/protocol2_only: true
  ssh/encrypted_host_key_but_no_keygen: 
* ssh/run_sshd: true
* ssh/SUID_client: true

---------------------------------------
Received: (at 248747-close) by bugs.debian.org; 28 Nov 2004 14:40:18 +0000
>From katie@ftp-master.debian.org Sun Nov 28 06:40:18 2004
Return-path: <katie@ftp-master.debian.org>
Received: from newraff.debian.org [208.185.25.31] (mail)
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1CYQDq-0005Ot-00; Sun, 28 Nov 2004 06:40:18 -0800
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
	id 1CYQ65-0000K9-00; Sun, 28 Nov 2004 09:32:17 -0500
From: Colin Watson <cjwatson@debian.org>
To: 248747-close@bugs.debian.org
X-Katie: $Revision: 1.54 $
Subject: Bug#248747: fixed in openssh 1:3.8.1p1-8.sarge.4
Message-Id: <E1CYQ65-0000K9-00@newraff.debian.org>
Sender: Archive Administrator <katie@ftp-master.debian.org>
Date: Sun, 28 Nov 2004 09:32:17 -0500
Delivered-To: 248747-close@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level: 
X-CrossAssassin-Score: 2

Source: openssh
Source-Version: 1:3.8.1p1-8.sarge.4

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive:

openssh-client-udeb_3.8.1p1-8.sarge.4_powerpc.udeb
  to pool/main/o/openssh/openssh-client-udeb_3.8.1p1-8.sarge.4_powerpc.udeb
openssh-server-udeb_3.8.1p1-8.sarge.4_powerpc.udeb
  to pool/main/o/openssh/openssh-server-udeb_3.8.1p1-8.sarge.4_powerpc.udeb
openssh_3.8.1p1-8.sarge.4.diff.gz
  to pool/main/o/openssh/openssh_3.8.1p1-8.sarge.4.diff.gz
openssh_3.8.1p1-8.sarge.4.dsc
  to pool/main/o/openssh/openssh_3.8.1p1-8.sarge.4.dsc
ssh-askpass-gnome_3.8.1p1-8.sarge.4_powerpc.deb
  to pool/main/o/openssh/ssh-askpass-gnome_3.8.1p1-8.sarge.4_powerpc.deb
ssh_3.8.1p1-8.sarge.4_powerpc.deb
  to pool/main/o/openssh/ssh_3.8.1p1-8.sarge.4_powerpc.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 248747@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 28 Nov 2004 12:37:16 +0000
Source: openssh
Binary: ssh-askpass-gnome openssh-client-udeb ssh openssh-server-udeb
Architecture: source powerpc
Version: 1:3.8.1p1-8.sarge.4
Distribution: unstable
Urgency: high
Maintainer: Matthew Vernon <matthew@debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description: 
 openssh-client-udeb - Secure shell client for the Debian installer (udeb)
 openssh-server-udeb - Secure shell server for the Debian installer (udeb)
 ssh        - Secure rlogin/rsh/rcp replacement (OpenSSH)
 ssh-askpass-gnome - under X, asks user for a passphrase for ssh-add
Closes: 248747 281595
Changes: 
 openssh (1:3.8.1p1-8.sarge.4) unstable; urgency=high
 .
   * Fix timing information leak allowing discovery of invalid usernames in
     PAM keyboard-interactive authentication (backported from a patch by
     Darren Tucker; closes: #281595).
   * Make sure that there's a delay in PAM keyboard-interactive
     authentication when PermitRootLogin is not set to yes and the correct
     root password is entered (closes: #248747).
Files: 
 8ad7931d85460ac1f9a2971e708d1d65 906 net standard openssh_3.8.1p1-8.sarge.4.dsc
 187b8455948c188c97c3bfba92120e51 155885 net standard openssh_3.8.1p1-8.sarge.4.diff.gz
 ef7b58119f1f6d1bc0efd10412df2235 737276 net standard ssh_3.8.1p1-8.sarge.4_powerpc.deb
 70e71d02d5370a22da119f47b492a4dc 52728 gnome optional ssh-askpass-gnome_3.8.1p1-8.sarge.4_powerpc.deb
 cb5fd04403ea907c8be066b620ed906a 151080 debian-installer optional openssh-client-udeb_3.8.1p1-8.sarge.4_powerpc.udeb
 9cd11fbcd1bcf3e2c06b78721a727dea 160092 debian-installer optional openssh-server-udeb_3.8.1p1-8.sarge.4_powerpc.udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Colin Watson <cjwatson@debian.org> -- Debian developer

iD8DBQFBqcvH9t0zAhD6TNERAv1CAJ9n9yy/P8zhf4kp7WoY99Rfuo9osgCdFneL
0RmN8Hcxkw5sO8WJ0u8AJ40=
=zOT0
-----END PGP SIGNATURE-----




Reply to: