[Bug 975] Kerberos authentication timing can leak information about account validity

Thu Jan 20 20:45:15 EST 2005

http://bugzilla.mindrot.org/show_bug.cgi?id=975

           Summary: Kerberos authentication timing can leak information
                    about account validity
           Product: Portable OpenSSH
           Version: -current
          Platform: All
               URL: http://marc.theaimsgroup.com/?l=openssh-unix-
                    dev&m=110371328918329&w=2
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Kerberos support
        AssignedTo: openssh-bugs at mindrot.org
        ReportedBy: dtucker at zip.com.au

There is apparently a difference in behaviour in the Kerberos code for existing
vs nonexistent users.  See the thread in the URL.

To summarise the thread:

Senthil Kumar said:
> I tested [with the patch in bug #971 - dt] OpenSSH-3.9p1 with the following
> options in sshd configuration
> 
> ChallengeResponseAuthentication `no`
> KerberosAuthentication `yes`
> passwordauthentication `yes`
> 
> but it shows difference in time for the appearance of password prompts for 
> both valid and invalid users. The code shows PAM-password Authentication is 
> not attempted when KerberosAuthentication is enabled. So by disabling 
> kerberosAuthentication there is no difference in time for the appearance of 
> password prompts for both valid and invalid users (ie.both cases have 
> considerable amount of delay).

Later testing showed that the early return in auth-krb5.c when !authctxt->valid
is the cause of the difference.

------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.