[Bug 611] Unnecessary authentication attempt in auth2-none.c creates delay

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Tue Jul 1 10:32:14 EST 2003


http://bugzilla.mindrot.org/show_bug.cgi?id=611

           Summary: Unnecessary authentication attempt in auth2-none.c
                    creates delay
           Product: Portable OpenSSH
           Version: 3.6.1p2
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: sshd
        AssignedTo: openssh-bugs at mindrot.org
        ReportedBy: matthewg at zevils.com


The userauth_none function, which is called at the start of every SSH2
connection, attempts to authenticate the user by calling auth_password with an
empty password.  In the case where the user's password is not empty, which will
be the majority of the time, this can create a noticable delay, since many
systems are set up to insert a pause after a failed authentication attempt in
order to prevent brute-force attacks.  The attached patch will suppress the
auth_password call in userauth_none if the PermitEmptyPasswords option is turned
off.  On my system (Debian GNU/Linux sid), this eliminates a two-second delay in
logging in.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.




More information about the openssh-bugs mailing list