Call for testing: OpenSSH 7.3

C0r3dump3d coredump at
Fri Jul 22 19:05:09 AEST 2016

Hi, I have tested the mitigation timing differences in password
authentication (CVE-2016-6210). I have compiled
openssh-SNAP-20160722.tar.gz in a Debian 8 and use my tool Osueta
( against the system.

Ok, I have seen that you calculate all the password hash exist or not
exist the user, and with this you can not discriminate the presence or
absence of that user, but now it's more easy to establish the DOS
condition in the access to the Openssh server and exhausting the CPU
resources, any dummy user it can be used!

For example:

osueta -H -U asdf -v no -d 15 -p 22 --dos yes -t 40

Users found      Time delay in seconds
asdf                      27

I have attached screenshots with the CPU resource exhaustion and the DOS
in the access to the Openssh server.

The test machine it's a Debian 8 VM in KVM with 4 Core and 2GB of RAM.

For CVE-2016-6210 user enumeration really it's mitigate but for the
problem of DOS as I say seems much easier to exploit!!


Andres Rojas

El 22/07/16 a las 06:40, Damien Miller escribió:
> Hi,
> OpenSSH 5.3 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This release contains some
> substantial new features and a number of bugfixes.
> Snapshot releases for portable OpenSSH are available from
> The OpenBSD version is available in CVS HEAD:

> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at

More information about the openssh-unix-dev mailing list