[Bug 975] Kerberos authentication timing can leak information about account validity
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Thu Jan 20 20:45:15 EST 2005
http://bugzilla.mindrot.org/show_bug.cgi?id=975
Summary: Kerberos authentication timing can leak information
about account validity
Product: Portable OpenSSH
Version: -current
Platform: All
URL: http://marc.theaimsgroup.com/?l=openssh-unix-
dev&m=110371328918329&w=2
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: Kerberos support
AssignedTo: openssh-bugs at mindrot.org
ReportedBy: dtucker at zip.com.au
There is apparently a difference in behaviour in the Kerberos code for existing
vs nonexistent users. See the thread in the URL.
To summarise the thread:
Senthil Kumar said:
> I tested [with the patch in bug #971 - dt] OpenSSH-3.9p1 with the following
> options in sshd configuration
>
> ChallengeResponseAuthentication `no`
> KerberosAuthentication `yes`
> passwordauthentication `yes`
>
> but it shows difference in time for the appearance of password prompts for
> both valid and invalid users. The code shows PAM-password Authentication is
> not attempted when KerberosAuthentication is enabled. So by disabling
> kerberosAuthentication there is no difference in time for the appearance of
> password prompts for both valid and invalid users (ie.both cases have
> considerable amount of delay).
Later testing showed that the early return in auth-krb5.c when !authctxt->valid
is the cause of the difference.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the openssh-bugs
mailing list