Openssh use enumeration

Darren Tucker dtucker at zip.com.au
Thu Jul 21 14:16:14 AEST 2016


On Thu, Jul 21, 2016 at 2:00 PM, Morham Anthelleron
<opensshdev at r.paypc.com> wrote:
[...]
> Since OpenSSH already makes use of an unprivileged user for privsep, why not
> take the next step of setting a (long) random password for it using the
> system's normal shadow password routines?

Assuming you mean putpwent(): that requires an encrypted string to put
in pw_passwd putting us right back where we started.

> If one is concerned about an accidentally "successful" login, you could
> perturb the supplied passphrase prior to passing it down to the authentication
> library to ensure a successful entry is impossible.
>
> Alternately, a second "dummy" account that's not used at all by the system
> which is a chroot jail with nothing in it with a random password?

If we could reliably come up with the encrypted string to put in that
dummy account we wouldn't need the dummy account.

Actually setting a password is quite system dependent.  exec'ing
/bin/passwd in most cases needs a controlling terminal although some
have flags for reading form stdin.   Using pam_chauthtok() would
require making assumptions about what the prompts were.  Some systems
enforce complexity (as opposed to entropy) requirements.  And then
you'd have an account with a password that you're not quite sure where
it came from.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.


More information about the openssh-unix-dev mailing list