Openssh use enumeration
selphie.keller at gmail.com
Thu Jul 21 12:31:34 AEST 2016
Ahh i see, just got up to speed on the issue, so seems like the issue is
related to blowfish being faster then sha family hashing for longer length
passwords, so there is a time lag difference between the blowfish internal
hash and the sha family hash, though this could be tricky to fix since some
systems may still use blowfish based hashing and changing the internal hash
from blowfish to sha to fix this for modern systems may invalidate it
inversely on older systems, where this attack can be done to find the
difference in the other direction of taking to long. Some sorta of hybrid
solution of computing hashes based on what the system is actively using
should resolve the timing issue. So if this is on a newer system using sha
family for hashing it would use a sha family hash to be the fall back for
accounts and blowfish if it's on a system using blowfish.
On 20 July 2016 at 20:18, Selphie Keller <selphie.keller at gmail.com> wrote:
> I thought this was already addressed with the internal blowfish hash of
> "$2a$06$r3.juUaHZDlIbQaO2dS9FuYxL1W9M81R1Tc92PoSNmzvpEqLkLGrK" to where all
> passwords were checked against this to prevent timing analysis for user
> On 20 July 2016 at 19:45, Darren Tucker <dtucker at zip.com.au> wrote:
>> On Tue, Jul 19, 2016 at 11:10 PM, C0r3dump3d <coredump at autistici.org>
>> > Hi, sorry I don't know if I send this to the correct channel.
>> It is.
>> > it's possible in certain circumstances to provoke a DOS
>> > condition in the access to the ssh server.
>> We have been discussing this a bit, and what we have just added is a
>> simple hard limit on the allowed size of a password string at 1k,
>> above which the password is immediately refused. There's other
>> possible embellishments (eg, add a possibly variable delay) but we
>> haven't decided on any yet.
>> Darren Tucker (dtucker at zip.com.au)
>> GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA
>> Good judgement comes with experience. Unfortunately, the experience
>> usually comes from bad judgement.
>> openssh-unix-dev mailing list
>> openssh-unix-dev at mindrot.org
More information about the openssh-unix-dev