[Galen Hancock <galen at veribox.net>] Information leakage in sshd
Markus Friedl
markus.friedl at informatik.uni-erlangen.de
Fri Mar 10 06:48:34 EST 2000
i just commited my fix posted on Feb 17.
On Thu, Mar 09, 2000 at 05:12:02PM +0000, Philip Hands wrote:
> Hi,
>
> Thought I'd just forward this here, because I don't have time to look
> into it right now, and am off skiing next week.
>
> I'd guess that we should be checking for username = ``root'' before
> going off to do password checks, and rejecting it on that basis first.
>
> Cheers, Phil.
> --
> Mind-numbingly stupid UK law alert!
> Act now to stop it! http://www.stand.org.uk/
> Resent-Date: 8 Mar 2000 20:35:57 -0000
> Resent-Cc: recipient list not shown: ;
> Date: Wed, 8 Mar 2000 11:20:39 -0800
> From: Galen Hancock <galen at veribox.net>
> To: security at debian.org, submit at bugs.debian.org
> Subject: Information leakage in sshd
> Gnus-Warning: This is a duplicate of message <20000308112038.O5093 at c109854-a.frmt1.sfba.home.com>
> Message-ID: <20000308112038.O5093 at c109854-a.frmt1.sfba.home.com>
> Mime-Version: 1.0
> Content-Type: text/plain; charset=us-ascii
> Resent-Message-ID: <0xvpe.A.p4D.rmrx4 at murphy>
> Resent-From: debian-private at lists.debian.org
> Resent-Sender: debian-private-request at lists.debian.org
>
> Package: ssh
> Version: 1:1.2.2-1.4
>
> When PermitRootLogin is set to no in /etc/ssh/sshd_config it should not
> be possible to determine whether a root password is correct remotely.
> However sshd behaves differently depending on whether the password is
> correct.
>
> fre-76-51% ssh root at localhost
> root at localhost's password: [typed the correct password]
> Received disconnect: ROOT LOGIN REFUSED FROM localhost
>
> fre-76-51% ssh root at localhost
> root at localhost's password: [typed an incorrect password]
> [pauses a second, then prints:]
> Permission denied, please try again.
>
> Thanks,
> Galen
>
>
> --
> Please respect the privacy of this mailing list.
>
> To UNSUBSCRIBE, email to debian-private-request at lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster at lists.debian.org
>
>
>
More information about the openssh-unix-dev
mailing list