openssh & delay
Darren Tucker
dtucker at zip.com.au
Fri May 28 11:00:28 EST 2004
Giuseppe Ghibò wrote:
> Hi, I wrote you to ask whether this patch is OK for you. I extracted
> from the current debian openssh patch set.
FWIW it looks ok to me (but I'm biased, I put that patch together for
Debian bug #192207), It just short circuits the "none" checks if
PermitEmptyPasswords=no and feeds PAM a bogus password for root if
PermitRootLogin!=yes. Assuming you have PAM delay on failure, an
attacker can trivially determine the PermitEmptyPasswords setting, but I
think that's about it.
Credit where it's due: the bogus root password bit is originally from
Openwall (their "owl-always-auth" patch).
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list