openssh reveals existing accounts?
Markus Friedl
markus at openbsd.org
Sat Dec 29 06:40:25 EST 2001
On Fri, Dec 28, 2001 at 11:28:56AM -0800, Florin Andrei wrote:
> On Fri, 2001-12-28 at 11:18, Markus Friedl wrote:
> > On Fri, Dec 28, 2001 at 11:14:35AM -0800, Florin Andrei wrote:
> > > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=57859
> > >
> > > There's a method to see if an account exists or not: if it does exist,
> > > and the password fails, there's a small delay before getting the prompt
> > > again. But if it doesn't, the password prompt returns immediately.
> >
> > i doubt this.
>
> I would certainly believe you, but i prefer to believe my own eyes. :-)
> See the link in my message for details.
you report is lacking details.
this all depends on the speed of crypt() on the target system.
also,
When you login by ssh to a host and the password fails, there's
a small delay before getting the password prompt again, which
prevents bruteforce attacks.
is wrong, this has nothing to do with bruteforce prevention.
-m
More information about the openssh-unix-dev
mailing list