Regarding Pubkey Enumeration
Dan Kaminsky
dan at doxpara.com
Sat Jan 21 08:39:29 EST 2012
Eh, you wouldn't support a feature that only displayed a password prompt if the username was valid. Same thing, very similar experience even.
Sent from my iPhone
On Jan 20, 2012, at 4:27 PM, Damien Miller <djm at mindrot.org> wrote:
> This is a deliberate feature - it allows testing whether a pubkey can
> log in without the need to unwrap a private key, an action that may
> require a passphrase or token PIN.
>
> It's been discussed a bit here and elsewhere in the past and we've
> always concluded that it isn't worth turning off or providing a knob
> for.
>
> On Fri, 20 Jan 2012, Dan Kaminsky wrote:
>
>> HD Moore from MetaSploit has noted that, given a pubkey (and not the
>> corresponding private key, as might be found in authorized_keys), he can
>> determine if he'd be able to log into an account.
>>
>> It's a small thing, but he's using it for very interesting
>> recon/deanonymization. He'll be releasing a paper shortly, not overplaying
>> the characteristic, but certainly showing it can be used to do cute things.
>>
>> I expect this is easily fixable -- simply provide the challenge for a
>> pubkey whether or not it'd actually be able to log in successfully. But
>> it's worth exploring this space -- perhaps some clients behave badly.
>>
>> --Dan
>> _______________________________________________
>> openssh-unix-dev mailing list
>> openssh-unix-dev at mindrot.org
>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>>
More information about the openssh-unix-dev
mailing list