openssh & delay
Giuseppe Ghibò
ghibo at mandrakesoft.com
Fri May 28 19:07:54 EST 2004
Darren Tucker wrote:
> Giuseppe Ghibò wrote:
>
>> Hi, I wrote you to ask whether this patch is OK for you. I extracted
>> from the current debian openssh patch set.
>
>
> FWIW it looks ok to me (but I'm biased, I put that patch together for
> Debian bug #192207), It just short circuits the "none" checks if
> PermitEmptyPasswords=no and feeds PAM a bogus password for root if
> PermitRootLogin!=yes. Assuming you have PAM delay on failure, an
> attacker can trivially determine the PermitEmptyPasswords setting, but I
> think that's about it.
Well, isn't this the same behaviour of current openssh 3.8?
>
> Credit where it's due: the bogus root password bit is originally from
> Openwall (their "owl-always-auth" patch).
>
Thanks, for the info.
Bye.
Giuseppe.
More information about the openssh-unix-dev
mailing list