Openssh use enumeration

Selphie Keller selphie.keller at gmail.com
Thu Jul 21 14:36:58 AEST 2016


Darren, If you have time could you try the actual tool against the new
patch curious to see how it stands up https://github.com/c0r3dump3d/osueta

On 20 July 2016 at 22:27, Darren Tucker <dtucker at zip.com.au> wrote:

> On Thu, Jul 21, 2016 at 1:48 PM, Darren Tucker <dtucker at zip.com.au> wrote:
> [...]
> > Well if there are no accounts with a valid salt then there's also no
> > valid account to compare the timing of invalid accounts against.
> > Worst case that'd be DES crypt vs empty password and I'm not sure if
> > you'd be able to pick that out of the background crypto.
>
> I just measured the speed of DES crypt on a somewhat elderly 2.1GHz
> Xeon X3210 at about 7 microseconds.  Good luck picking that out of
> Diffie-Hellman exchange over a network.
>
> --
> Darren Tucker (dtucker at zip.com.au)
> GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
>     Good judgement comes with experience. Unfortunately, the experience
> usually comes from bad judgement.
>


More information about the openssh-unix-dev mailing list