Openssh use enumeration

Darren Tucker dtucker at
Thu Jul 21 12:48:46 AEST 2016

On Thu, Jul 21, 2016 at 12:31 PM, Selphie Keller
<selphie.keller at> wrote:
> Ahh i see, just got up to speed on the issue, so seems like the issue is
> related to blowfish being faster then sha family hashing for longer length
> passwords,

or the system's crypt() not understanding $2a$ -style salts, which
most glibcs don't.  On those, crypt fails immediately due to invalid

> so there is a time lag difference between the blowfish internal
> hash and the sha family hash, though this could be tricky to fix since some
> systems may still use blowfish based hashing and changing the internal hash

The best I could come up with (which is what I implemented[1]) was to
look the crypt method used for root's password and use that, falling
back to DES if that fails.  That scheme won't help if you don't set a
root password (or set it to *LK* or similar), but short of surveying
all accounts on the system I'm not sure how to do much better.


Darren Tucker (dtucker at
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list