control: reassign -1 openssh-server 6.7p1-5+deb8u2
[ please don't keep me in the recipients while discussing the bug ]
On Wed, Jun 15, 2016 at 10:55:12PM -0400, Raouf M. Bencheraiet wrote:
> Package: opernssh-server
typoed name :)
> Version: 6.7p1-5+deb8u2
>
> When trying to connect to a host with an invalid username and that and the
> "too many authentication failures" is hit, the hosts leaks whether the
> username is valid or not.
>
>
> for ex:
>
> ssh badusr@X.X.X.X
> Received disconnect from X.X.X.X port 22:2: Too many authentication
> failures for invalid user badusr from Y.Y.Y.Y port 47706 ssh2
> Connection to X.X.X.X closed by remote host.
> Connection to X.X.X.Xclosed.
>
>
> the probleme is in auth_maxtries_exceeded (auth.c:331) :
>
> auth_maxtries_exceeded(Authctxt *authctxt)
> {
> packet_disconnect("Too many authentication failures for "
> "%s%.100s from %.200s port %d %s",
> authctxt->valid ? "" : "invalid user ",
> authctxt->user,
> get_remote_ipaddr(),
> get_remote_port(),
> compat20 ? "ssh2" : "ssh1");
> /* NOTREACHED */
> }
>
> it seems to have been fixed in a later release of openssh
>
> https://github.com/openssh/openssh-portable/commit/6f621603f9cff2a5d6016a404c96cb2f8ac2dec0
> --
> - Unix is fundamentally a simple system, but you have to be a genius to
> understand its simplicity.
> - Do not seek death, death will ultimately find you. Seek the road that
> makes death a fulfilment.
--
regards,
Mattia Rizzolo
GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`.
more about me: https://mapreri.org : :' :
Launchpad user: https://launchpad.net/~mapreri `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia `-
Attachment:
signature.asc
Description: PGP signature