Information leakage in sshd
Markus Friedl
markus.friedl at informatik.uni-erlangen.de
Thu Dec 28 23:31:37 EST 2000
this has been fixed 2000/03/09.
On Thu, Dec 28, 2000 at 11:38:43AM +0100, Christian Kurz wrote:
> Hi guys,
>
> and here's a security related bug report. I think it's has been fixed in
> the 2.2.x-release of openssh, but I'm not sure. I tried to reproduce the
> problem with my 2.2.0p1 and could find any difference in the behaviour
> of ssh depending on wether PermitRootLogin was set to no. Could someone
> please confirm that this problem is not existing anymore?
>
> > When PermitRootLogin is set to no in /etc/ssh/sshd_config it should not
> > be possible to determine whether a root password is correct remotely.
> > However sshd behaves differently depending on whether the password is
> > correct.
>
> > host% ssh root at localhost
> > root at localhost's password: [typed the correct password]
> > Received disconnect: ROOT LOGIN REFUSED FROM localhost
>
> > host% ssh root at localhost
> > root at localhost's password: [typed an incorrect password]
> > [pauses a second, then prints:]
> > Permission denied, please try again.
>
> Thanks for all your feedback and your great work.
>
> Ciao
> Christian
> --
> Debian Developer and Quality Assurance Team Member
> 1024/26CC7853 31E6 A8CA 68FC 284F 7D16 63EC A9E6 67FF 26CC 7853
>
More information about the openssh-unix-dev
mailing list