Openssh use enumeration
opensshdev at r.paypc.com
Thu Jul 21 14:00:51 AEST 2016
Quoting Darren Tucker <dtucker at zip.com.au>:
> Since committing that diff I've heard of people running in production
> with no root password (ie *LK*, !! or similar).
> It's about the same amount of code to search for the first account with
> a valid salt, which would avoid this problem in the case where the root
> account doesn't have a real password.
> djm: what do you think?
Since OpenSSH already makes use of an unprivileged user for privsep, why not
take the next step of setting a (long) random password for it using the
system's normal shadow password routines?
If one is concerned about an accidentally "successful" login, you could
perturb the supplied passphrase prior to passing it down to the authentication
library to ensure a successful entry is impossible.
Alternately, a second "dummy" account that's not used at all by the system
which is a chroot jail with nothing in it with a random password?
This way no bizarre system assumptions need be made, and it accommodates the
wide range of "policy" preferences for the bulk of the userbase.
More information about the openssh-unix-dev