Openssh use enumeration

Darren Tucker dtucker at
Thu Jul 21 13:48:03 AEST 2016

On Thu, Jul 21, 2016 at 1:34 PM, Selphie Keller
<selphie.keller at> wrote:
> yeah I like this idea, fixes the issue with blowfish hashes and non root
> passwords, maybe random delay as the final fall back if no salts/passwords
> are found.

Well if there are no accounts with a valid salt then there's also no
valid account to compare the timing of invalid accounts against.
Worst case that'd be DES crypt vs empty password and I'm not sure if
you'd be able to pick that out of the background crypto.

> Seems rare, but I do have one box that I use ssh keys on and none
> of the accounts have a hash set, but I also don't have password auth
> enabled.

IMO random delays are overrated for mitigating timing attacks; you can
look for inconsistent behaviour as the indicator of whatever you're
looking for.

Darren Tucker (dtucker at
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list