Information leakage in sshd
Christian Kurz
shorty at debian.org
Thu Dec 28 21:38:43 EST 2000
Hi guys,
and here's a security related bug report. I think it's has been fixed in
the 2.2.x-release of openssh, but I'm not sure. I tried to reproduce the
problem with my 2.2.0p1 and could find any difference in the behaviour
of ssh depending on wether PermitRootLogin was set to no. Could someone
please confirm that this problem is not existing anymore?
> When PermitRootLogin is set to no in /etc/ssh/sshd_config it should not
> be possible to determine whether a root password is correct remotely.
> However sshd behaves differently depending on whether the password is
> correct.
> host% ssh root at localhost
> root at localhost's password: [typed the correct password]
> Received disconnect: ROOT LOGIN REFUSED FROM localhost
> host% ssh root at localhost
> root at localhost's password: [typed an incorrect password]
> [pauses a second, then prints:]
> Permission denied, please try again.
Thanks for all your feedback and your great work.
Ciao
Christian
--
Debian Developer and Quality Assurance Team Member
1024/26CC7853 31E6 A8CA 68FC 284F 7D16 63EC A9E6 67FF 26CC 7853
More information about the openssh-unix-dev
mailing list