[Bug 3934] New: check_pam_user() is an oracle for user names
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Wed Mar 4 22:29:08 AEDT 2026
https://bugzilla.mindrot.org/show_bug.cgi?id=3934
Bug ID: 3934
Summary: check_pam_user() is an oracle for user names
Product: Portable OpenSSH
Version: 10.0p2
Hardware: Other
OS: Solaris
Status: NEW
Severity: security
Priority: P5
Component: PAM support
Assignee: unassigned-bugs at mindrot.org
Reporter: chsdik at gmail.com
When an non-valid username is used, a pam configuration can fail
immediately on the second time to run pam() (as there are
multiple ways to authenticate a user)
The connection is dropped immediately with: PAM user mismatch
(ROOT != NOUSER)
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list