[Bug 975] Kerberos authentication timing can leak information about account validity

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Thu Jan 20 22:20:21 EST 2005


http://bugzilla.mindrot.org/show_bug.cgi?id=975





------- Additional Comments From senthilkumar_sen at hotpop.com  2005-01-20 22:20 -------
Created an attachment (id=778)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=778&action=view)
Patch for Kerberos timing difference for Valid and Invalid user

For PAM-Passwd Authentication with KerberosAuthentication being set to yes,
there exists a time difference for valid user and invalid user. The attached
patch fixes that. I am asked to move the authctxt->valid check to out block in
auth-krb5.c in the mailing lists but I think it is not necessary.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.




More information about the openssh-bugs mailing list