[Bug 117] OpenSSH second-guesses PAM
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Fri Feb 15 10:10:10 EST 2002
http://bugzilla.mindrot.org/show_bug.cgi?id=117
------- Additional Comments From djm at mindrot.org 2002-02-15 10:10 -------
> OpenSSH traditionally would not even start PAM, and
> now starts it specifying 'NOUSER' as the login name.
We have always used NOUSER, the recent patch just makes it consistent between
protocols 1 and 2.
> The second is to prevent username guessing attacks - by
> always calling PAM the system should always suffer the
> same timeouts/delays no matter the existance of the
> attempted login.
I don't think this is the case: the auth code attempts
all authentications with the fake username anyway, so
this should not be an issue unless the PAM modules
themselves are broken.
We rely on getpwnam() working in lots of places, so changing
this would be a fair amount of work.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the openssh-unix-dev
mailing list