[openssh-commits] [openssh] branch master updated (9286875 -> 283b97f)

git+noreply at mindrot.org git+noreply at mindrot.org
Fri Jul 15 14:00:19 AEST 2016


This is an automated email from the git hooks/post-receive script.

dtucker pushed a change to branch master
in repository openssh.

      from  9286875   Determine appropriate salt for invalid users.
       new  283b97f   Mitigate timing of disallowed users PAM logins.

The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "adds" were already present in the repository and have only
been added to this reference.


Detailed log of new commits:

commit 283b97ff33ea2c641161950849931bd578de6946
Author: Darren Tucker <dtucker at zip.com.au>
Date:   Fri Jul 15 13:49:44 2016 +1000

    Mitigate timing of disallowed users PAM logins.
    
    When sshd decides to not allow a login (eg PermitRootLogin=no) and
    it's using PAM, it sends a fake password to PAM so that the timing for
    the failure is not noticeably different whether or not the password
    is correct.  This behaviour can be detected by sending a very long
    password string which is slower to hash than the fake password.
    
    Mitigate by constructing an invalid password that is the same length
    as the one from the client and thus takes the same time to hash.
    Diff from djm@

Summary of changes:
 auth-pam.c | 35 +++++++++++++++++++++++++++++++----
 1 file changed, 31 insertions(+), 4 deletions(-)

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.


More information about the openssh-commits mailing list