Openssh use enumeration

Selphie Keller selphie.keller at
Thu Jul 21 12:31:34 AEST 2016

Ahh i see, just got up to speed on the issue, so seems like the issue is
related to blowfish being faster then sha family hashing for longer length
passwords, so there is a time lag difference between the blowfish internal
hash and the sha family hash, though this could be tricky to fix since some
systems may still use blowfish based hashing and changing the internal hash
from blowfish to sha to fix this for modern systems may invalidate it
inversely on older systems, where this attack can be done to find the
difference in the other direction of taking to long. Some sorta of hybrid
solution of computing hashes based on what the system is actively using
should resolve the timing issue. So if this is on a newer system using sha
family for hashing it would use a sha family hash to be the fall back for
accounts and blowfish if it's on a system using blowfish.

On 20 July 2016 at 20:18, Selphie Keller <selphie.keller at> wrote:

> I thought this was already addressed with the internal blowfish hash of
> "$2a$06$r3.juUaHZDlIbQaO2dS9FuYxL1W9M81R1Tc92PoSNmzvpEqLkLGrK" to where all
> passwords were checked against this to prevent timing analysis for user
> enumeration.
> On 20 July 2016 at 19:45, Darren Tucker <dtucker at> wrote:
>> On Tue, Jul 19, 2016 at 11:10 PM, C0r3dump3d <coredump at>
>> wrote:
>> > Hi, sorry I don't know if I send this to the correct channel.
>> It is.
>> [..]
>> > it's possible in certain circumstances to provoke a DOS
>> > condition in the access to the ssh server.
>> We have been discussing this a bit, and what we have just added is a
>> simple hard limit on the allowed size of a password string at 1k,
>> above which the password is immediately refused.  There's other
>> possible embellishments (eg, add a possibly variable delay) but we
>> haven't decided on any yet.
>> Thanks.
>> --
>> Darren Tucker (dtucker at
>> GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA
>> (new)
>>     Good judgement comes with experience. Unfortunately, the experience
>> usually comes from bad judgement.
>> _______________________________________________
>> openssh-unix-dev mailing list
>> openssh-unix-dev at

More information about the openssh-unix-dev mailing list