Openssh use enumeration
Darren Tucker
dtucker at zip.com.au
Thu Jul 21 12:48:46 AEST 2016
On Thu, Jul 21, 2016 at 12:31 PM, Selphie Keller
<selphie.keller at gmail.com> wrote:
> Ahh i see, just got up to speed on the issue, so seems like the issue is
> related to blowfish being faster then sha family hashing for longer length
> passwords,
or the system's crypt() not understanding $2a$ -style salts, which
most glibcs don't. On those, crypt fails immediately due to invalid
salt.
> so there is a time lag difference between the blowfish internal
> hash and the sha family hash, though this could be tricky to fix since some
> systems may still use blowfish based hashing and changing the internal hash
The best I could come up with (which is what I implemented[1]) was to
look the crypt method used for root's password and use that, falling
back to DES if that fails. That scheme won't help if you don't set a
root password (or set it to *LK* or similar), but short of surveying
all accounts on the system I'm not sure how to do much better.
[1] https://anongit.mindrot.org/openssh.git/commit/?id=9286875a73b2de7736b5e50692739d314cd8d9dc
--
Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list