[Bug 559] PAM fixes
Frank Cusack
fcusack at fcusack.com
Tue May 13 14:01:47 EST 2003
On Mon, May 12, 2003 at 10:41:27PM -0500, Ben Lindstrom wrote:
>
> [..]
> + * REDACTED
> + */
> + if (!options.password_authentication || !options.permit_empty_passwd)
> + return(0);
>
> Check to ensure your not leaking account information via timing attacks by
> re-adding this.
That is a good point, would some interested folks please give that a
review? I don't think it leaks account information, because the
behavior is the same for accounts that exist and accounts that don't
exist. The only difference in timing is based on sshd's option settings.
/fc
More information about the openssh-unix-dev
mailing list