Openssh use enumeration

Selphie Keller selphie.keller at gmail.com
Thu Jul 21 12:18:57 AEST 2016


I thought this was already addressed with the internal blowfish hash of
"$2a$06$r3.juUaHZDlIbQaO2dS9FuYxL1W9M81R1Tc92PoSNmzvpEqLkLGrK" to where all
passwords were checked against this to prevent timing analysis for user
enumeration.

On 20 July 2016 at 19:45, Darren Tucker <dtucker at zip.com.au> wrote:

> On Tue, Jul 19, 2016 at 11:10 PM, C0r3dump3d <coredump at autistici.org>
> wrote:
> > Hi, sorry I don't know if I send this to the correct channel.
>
> It is.
>
> [..]
> > it's possible in certain circumstances to provoke a DOS
> > condition in the access to the ssh server.
>
> We have been discussing this a bit, and what we have just added is a
> simple hard limit on the allowed size of a password string at 1k,
> above which the password is immediately refused.  There's other
> possible embellishments (eg, add a possibly variable delay) but we
> haven't decided on any yet.
>
> Thanks.
>
> --
> Darren Tucker (dtucker at zip.com.au)
> GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
>     Good judgement comes with experience. Unfortunately, the experience
> usually comes from bad judgement.
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>


More information about the openssh-unix-dev mailing list