Regarding Pubkey Enumeration
Dan Kaminsky
dan at doxpara.com
Fri Jan 20 20:18:47 EST 2012
HD Moore from MetaSploit has noted that, given a pubkey (and not the
corresponding private key, as might be found in authorized_keys), he can
determine if he'd be able to log into an account.
It's a small thing, but he's using it for very interesting
recon/deanonymization. He'll be releasing a paper shortly, not overplaying
the characteristic, but certainly showing it can be used to do cute things.
I expect this is easily fixable -- simply provide the challenge for a
pubkey whether or not it'd actually be able to log in successfully. But
it's worth exploring this space -- perhaps some clients behave badly.
--Dan
More information about the openssh-unix-dev
mailing list