Pam module leaks information

Darren Tucker dtucker at
Mon Jul 18 14:14:24 EST 2005

Senthil Kumar wrote:
> Im using OpenSSH 4.1 with a proprietary pam module. This module does allow
> or deny access to the accound based on a policy file settings. Now if I deny
> the access to an account and attempt to connect to the sshd server for that
> account with valid password, it quickly returns to next prompt. When I try
> it with invalid password, it took some time to return to next prompt. Im
> wondering if this kind of behaviour will lead to information leak on
> password validity. Should I need to contact the author of this module to
> compensate the difference in timing factor.

I'm not aware of any remaining timing info leaks in the PAM code in 
OpenSSH 4.1p1 (we spent some time a while back stomping them out) but if 
there are any left then they ought to be found and fixed.

That said, it sounds like your module is the source of the timing 
discrepancy.  Does it behave the same way with other PAM apps?

What platform is this?  On Linux, you may have to explicitly set 
pam_fail_delay (eg with this module:

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list