Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. OpenSSH>
  3. Bugs
[Bug 611] Unnecessary authentication attempt in auth2-none.c creates delay
bugzilla-daemon at mindrot
Jun 30, 2003, 4:32 PM
Post #1 of 4 (1085 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=611

Summary: Unnecessary authentication attempt in auth2-none.c
creates delay
Product: Portable OpenSSH
Version: 3.6.1p2
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: sshd
AssignedTo: openssh-bugs@mindrot.org
ReportedBy: matthewg@zevils.com


The userauth_none function, which is called at the start of every SSH2
connection, attempts to authenticate the user by calling auth_password with an
empty password. In the case where the user's password is not empty, which will
be the majority of the time, this can create a noticable delay, since many
systems are set up to insert a pause after a failed authentication attempt in
order to prevent brute-force attacks. The attached patch will suppress the
auth_password call in userauth_none if the PermitEmptyPasswords option is turned
off. On my system (Debian GNU/Linux sid), this eliminates a two-second delay in
logging in.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 611] Unnecessary authentication attempt in auth2-none.c creates delay [ In reply to ]
bugzilla-daemon at mindrot
Jun 30, 2003, 4:34 PM
Post #2 of 4 (1065 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=611





------- Additional Comments From matthewg@zevils.com 2003-07-01 10:34 -------
Created an attachment (id=351)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=351&action=view)
Patch to fix the issue

Tested against 3.6.1p2, also applies to -current.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 611] Unnecessary authentication attempt in auth2-none.c creates delay [ In reply to ]
bugzilla-daemon at mindrot
Jun 30, 2003, 4:37 PM
Post #3 of 4 (1060 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=611

mouring@eviladmin.org changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |WONTFIX



------- Additional Comments From mouring@eviladmin.org 2003-07-01 10:36 -------
Potentally leaks information about user accounts accessiblity.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 611] Unnecessary authentication attempt in auth2-none.c creates delay [ In reply to ]
bugzilla-daemon at mindrot
Jun 30, 2003, 4:43 PM
Post #4 of 4 (1060 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=611





------- Additional Comments From matthewg@zevils.com 2003-07-01 10:43 -------
Is there a proper way to fix this bug? My users are complaining about the delay.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal