Is there a fix available for CAN-2003-0190

Sergio Gelato Sergio.Gelato at
Thu Dec 23 00:28:53 EST 2004

* Senthil Kumar [2004-12-22 15:50:52 +0530]:
> I tried the following  workaround in auth-krb5.c to overcome the difference 
> in appearance of delay in password prompts for valid and in valid users in 
> OpenSSH-3.9p1.
> diff auth-krb5.c auth-krb5.c-fix
> 78,79d77
> <       if (!authctxt->valid)
> <               return (0);
> 80a79,81
> >         if (!authctxt->valid)
> >           ;;

It looks to me like you're introducing a bug here. Looking at the code
immediately after that test makes it obvious:


If the authentication context is invalid, you shouldn't be passing it
as an argument to anything. Garbage in, garbage out, the saying goes.
In this case you're going to setuid() based on the invalid data...

> With this, there is no difference in time delay for appearance of password 
> prompts for both valid and invalid users with the following options in 
> sshd configuration.

I see that the rest of that function has an "if (problem) goto out;" after
every krb5 library call. Doesn't that also introduce measurable time
differences? Interesting.

Maybe one should fill in a dummy, valid authctxt in such cases, and 
make a note to fail the authentication at the end of the process.

More information about the openssh-unix-dev mailing list