control: reassign -1 openssh-server 6.7p1-5+deb8u2 [ please don't keep me in the recipients while discussing the bug ] On Wed, Jun 15, 2016 at 10:55:12PM -0400, Raouf M. Bencheraiet wrote: > Package: opernssh-server typoed name :) > Version: 6.7p1-5+deb8u2 > > When trying to connect to a host with an invalid username and that and the > "too many authentication failures" is hit, the hosts leaks whether the > username is valid or not. > > > for ex: > > ssh badusr@X.X.X.X > Received disconnect from X.X.X.X port 22:2: Too many authentication > failures for invalid user badusr from Y.Y.Y.Y port 47706 ssh2 > Connection to X.X.X.X closed by remote host. > Connection to X.X.X.Xclosed. > > > the probleme is in auth_maxtries_exceeded (auth.c:331) : > > auth_maxtries_exceeded(Authctxt *authctxt) > { > packet_disconnect("Too many authentication failures for " > "%s%.100s from %.200s port %d %s", > authctxt->valid ? "" : "invalid user ", > authctxt->user, > get_remote_ipaddr(), > get_remote_port(), > compat20 ? "ssh2" : "ssh1"); > /* NOTREACHED */ > } > > it seems to have been fixed in a later release of openssh > > https://github.com/openssh/openssh-portable/commit/6f621603f9cff2a5d6016a404c96cb2f8ac2dec0 > -- > - Unix is fundamentally a simple system, but you have to be a genius to > understand its simplicity. > - Do not seek death, death will ultimately find you. Seek the road that > makes death a fulfilment. -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`. more about me: https://mapreri.org : :' : Launchpad user: https://launchpad.net/~mapreri `. `'` Debian QA page: https://qa.debian.org/developer.php?login=mattia `-
Attachment:
signature.asc
Description: PGP signature