Permission denied message and leak with it
Darren Tucker
dtucker at zip.com.au
Thu Sep 22 19:44:09 EST 2005
On Thu, Sep 22, 2005 at 02:58:08PM +0530, Senthil Kumar wrote:
> I am using OpenSSH 4.x versions. If I try to ssh to a system with a user
> account and if all my auth methods fails, the client side gets the following
> message.
>
> Permission denied (publickey,password,keyboard-interactive).
>
> This looks like an information leak, where a malicious user can detect all
> the allowed authmethods on the server system. I would like to know if there
> are some reasons for giving these informations out.
Yes, it's part of the SSHv2 protocol spec.
Have a browse of http://www.ietf.org/internet-drafts/draft-ietf-secsh-userauth-27.txt
and look for "authentications that can continue".
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list