Bug#314645: /usr/sbin/sshd: time delay of password check proves account existence to attackers
On Fri, Jun 17, 2005 at 09:14:04AM -0700, Greg Webster wrote:
> Package: ssh
> Version: 1:3.8.1p1-8.sarge.4
> Severity: critical
> File: /usr/sbin/sshd
> Tags: security
> Justification: root security hole
>
> Due to the delay that is caused by password checking, once ssh
> determines that the login attempt is for a valid account, attackers can
> statistically prove the existence of accounts on a ssh-accessible server
> remotely. This cuts down greatly on the difficulty of a brute-force
> password-guessing attack. Since user accounts often use worse patterns
> than (hopefully) root does, it doesn't take much to pick user accounts
> that are other than standard accounts and attempt to break in.
You're talking about microsecond delays, right?
> I'd strongly suggest either a randomized delay on responses for login
> attempts on non-existent accounts, or a consistent delay between
> existing and non-existent accounts, or some other method of hiding this
> information.
Didn't this get implemented? I recall hearing about this some time
ago (~18 months?), probably on one of the Debian lists.
> This attack is already in the wild, as shown in logs:
This doesn't seem to indicate any particular attack. I don't know if
there's any evidence that its doing anything other than sshing to
$user:$user@yourmachine. (Though there is no evidence to support my
claim, either. It would be interesting to force the use of password
authentication, rather than challenge-response, to see what password
is being used. Takers?).
> Jun 16 08:30:14 localhost sshd[30986]: Illegal user jacob from
> 211.196.3.60
> Jun 16 08:30:16 localhost sshd[30988]: Illegal user michael from
> 211.196.3.60
...
Justin
Reply to: