OpenSSH daemon security bug?

Jameson Rollins jrollins at finestructure.net
Wed Jan 6 07:19:09 EST 2010


On Tue, Jan 05, 2010 at 06:48:27PM +0000, Jefferson Ogata wrote:
> Actually the server could theoretically determine heuristically if the
> key has no passphrase (or if the user is using ssh-agent) by timing the
> key transaction. I've often thought it would be useful for sshd to have
> an option for requiring that there be a delay before each pubkey
> transaction for the purpose of assuring that a passphrase is being typed
> on the client side.

Actually most agents cache the key in memory, and most don't require
passwords to be typed in for every use, so I don't think this would
work.

jamie.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20100105/f643d31d/attachment.bin>


More information about the openssh-unix-dev mailing list