[Bug 971] keyboard-interactive/pam leaks info about user existence

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Tue Jan 11 18:06:51 EST 2005


           Summary: keyboard-interactive/pam leaks info about user existence
           Product: Portable OpenSSH
           Version: -current
          Platform: All
               URL: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=281595
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: PAM support
        AssignedTo: openssh-bugs at mindrot.org
        ReportedBy: dtucker at zip.com.au
   Estimated Hours: 0.00

During keyboard-interactive authentication, if the PAM stack inserts a delay on
bad logins, the delay will be present for accounts that exist, and not present
for accounts that do not.

One solution for 3.9p1 is to set "ChallengeResponseAuthentication no" and
"PasswordAuthentication yes" in sshd_config, since PasswordAuthentication does
not have this issue.

------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the openssh-bugs mailing list