[openssh-commits] [openssh] branch master updated (a162dd5 -> 9286875)

[git+noreply at mindrot.org]

This is an automated email from the git hooks/post-receive script.

dtucker pushed a change to branch master
in repository openssh.

      from  a162dd5   OpenSSL 1.1.x not currently supported.
       new  9286875   Determine appropriate salt for invalid users.

The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "adds" were already present in the repository and have only
been added to this reference.


Detailed log of new commits:

commit 9286875a73b2de7736b5e50692739d314cd8d9dc
Author: Darren Tucker <dtucker at zip.com.au>
Date:   Fri Jul 15 13:32:45 2016 +1000

    Determine appropriate salt for invalid users.
    
    When sshd is processing a non-PAM login for a non-existent user it uses
    the string from the fakepw structure as the salt for crypt(3)ing the
    password supplied by the client.  That string has a Blowfish prefix, so on
    systems that don't understand that crypt will fail fast due to an invalid
    salt, and even on those that do it may have significantly different timing
    from the hash methods used for real accounts (eg sha512).  This allows
    user enumeration by, eg, sending large password strings.  This was noted
    by EddieEzra.Harari at verint.com (CVE-2016-6210).
    
    To mitigate, use the same hash algorithm that root uses for hashing
    passwords for users that do not exist on the system.  ok djm@

Summary of changes:
 auth-passwd.c           | 12 ++++++++----
 openbsd-compat/xcrypt.c | 34 ++++++++++++++++++++++++++++++++++
 2 files changed, 42 insertions(+), 4 deletions(-)

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.