[openssh-commits] [openssh] branch master updated (a162dd5 -> 9286875)
git+noreply at mindrot.org
git+noreply at mindrot.org
Fri Jul 15 13:46:12 AEST 2016
This is an automated email from the git hooks/post-receive script.
dtucker pushed a change to branch master
in repository openssh.
from a162dd5 OpenSSL 1.1.x not currently supported.
new 9286875 Determine appropriate salt for invalid users.
The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "adds" were already present in the repository and have only
been added to this reference.
Detailed log of new commits:
commit 9286875a73b2de7736b5e50692739d314cd8d9dc
Author: Darren Tucker <dtucker at zip.com.au>
Date: Fri Jul 15 13:32:45 2016 +1000
Determine appropriate salt for invalid users.
When sshd is processing a non-PAM login for a non-existent user it uses
the string from the fakepw structure as the salt for crypt(3)ing the
password supplied by the client. That string has a Blowfish prefix, so on
systems that don't understand that crypt will fail fast due to an invalid
salt, and even on those that do it may have significantly different timing
from the hash methods used for real accounts (eg sha512). This allows
user enumeration by, eg, sending large password strings. This was noted
by EddieEzra.Harari at verint.com (CVE-2016-6210).
To mitigate, use the same hash algorithm that root uses for hashing
passwords for users that do not exist on the system. ok djm@
Summary of changes:
auth-passwd.c | 12 ++++++++----
openbsd-compat/xcrypt.c | 34 ++++++++++++++++++++++++++++++++++
2 files changed, 42 insertions(+), 4 deletions(-)
--
To stop receiving notification emails like this one, please contact
djm at mindrot.org.
More information about the openssh-commits
mailing list