Pam module leaks information

Senthil Kumar senthilkumar_sen at hotpop.com
Sat Jul 16 20:28:58 EST 2005


Hello All,

Im using OpenSSH 4.1 with a proprietary pam module. This module does allow
or deny access to the accound based on a policy file settings. Now if I deny
the access to an account and attempt to connect to the sshd server for that
account with valid password, it quickly returns to next prompt. When I try
it with invalid password, it took some time to return to next prompt. Im
wondering if this kind of behaviour will lead to information leak on
password validity. Should I need to contact the author of this module to
compensate the difference in timing factor.

Thanks,
Senthil Kumar.





More information about the openssh-unix-dev mailing list