openssh & delay

Darren Tucker dtucker at zip.com.au
Fri May 28 11:00:28 EST 2004


Giuseppe Ghibò wrote:
> Hi, I wrote you to ask whether this patch is OK for you. I extracted
> from the current debian openssh patch set.

FWIW it looks ok to me (but I'm biased, I put that patch together for 
Debian bug #192207),  It just short circuits the "none" checks if 
PermitEmptyPasswords=no and feeds PAM a bogus password for root if 
PermitRootLogin!=yes.  Assuming you have PAM delay on failure, an 
attacker can trivially determine the PermitEmptyPasswords setting, but I 
think that's about it.

Credit where it's due: the bogus root password bit is originally from 
Openwall (their "owl-always-auth" patch).

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.




More information about the openssh-unix-dev mailing list