openssh & delay
Darren Tucker
dtucker at zip.com.au
Fri May 28 23:39:58 EST 2004
Giuseppe Ghibò wrote:
> Darren Tucker wrote:
>> Assuming you have PAM delay on failure, an
>> attacker can trivially determine the PermitEmptyPasswords setting, but
>> I think that's about it.
>
> Well, isn't this the same behaviour of current openssh 3.8?
Yes, and afaict it's unavoidable (since SSH2's "none" auth does double
duty as "let me in if you require no further authentication" and "tell
me the list of authentications required to continue", and PAM won't tell
applications anything about what authentications it will require.)
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list