[Bug 971] keyboard-interactive/pam leaks info about user existence
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Tue Jan 11 18:06:51 EST 2005
http://bugzilla.mindrot.org/show_bug.cgi?id=971
Summary: keyboard-interactive/pam leaks info about user existence
Product: Portable OpenSSH
Version: -current
Platform: All
URL: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=281595
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: PAM support
AssignedTo: openssh-bugs at mindrot.org
ReportedBy: dtucker at zip.com.au
Estimated Hours: 0.00
During keyboard-interactive authentication, if the PAM stack inserts a delay on
bad logins, the delay will be present for accounts that exist, and not present
for accounts that do not.
One solution for 3.9p1 is to set "ChallengeResponseAuthentication no" and
"PasswordAuthentication yes" in sshd_config, since PasswordAuthentication does
not have this issue.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the openssh-bugs
mailing list