[Bug 117] OpenSSH second-guesses PAM

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Fri Feb 15 10:10:10 EST 2002


------- Additional Comments From djm at mindrot.org  2002-02-15 10:10 -------
> OpenSSH traditionally would not even start PAM, and
> now starts it specifying 'NOUSER' as the login name.

We have always used NOUSER, the recent patch just makes it consistent between
protocols 1 and 2.

> The second is to prevent username guessing attacks - by 
> always calling PAM the system should always suffer the 
> same timeouts/delays no matter the existance of the 
> attempted login.

I don't think this is the case: the auth code attempts 
all authentications with the fake username anyway, so 
this should not be an issue unless the PAM modules 
themselves are broken.

We rely on getpwnam() working in lots of places, so changing 
this would be a fair amount of work.

------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the openssh-unix-dev mailing list