http://bugzilla.mindrot.org/show_bug.cgi?id=971
Summary: keyboard-interactive/pam leaks info about user existence
Product: Portable OpenSSH
Version: -current
Platform: All
URL: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=281595
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: PAM support
AssignedTo: openssh-bugs@mindrot.org
ReportedBy: dtucker@zip.com.au
Estimated Hours: 0.00
During keyboard-interactive authentication, if the PAM stack inserts a delay on
bad logins, the delay will be present for accounts that exist, and not present
for accounts that do not.
One solution for 3.9p1 is to set "ChallengeResponseAuthentication no" and
"PasswordAuthentication yes" in sshd_config, since PasswordAuthentication does
not have this issue.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
Summary: keyboard-interactive/pam leaks info about user existence
Product: Portable OpenSSH
Version: -current
Platform: All
URL: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=281595
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: PAM support
AssignedTo: openssh-bugs@mindrot.org
ReportedBy: dtucker@zip.com.au
Estimated Hours: 0.00
During keyboard-interactive authentication, if the PAM stack inserts a delay on
bad logins, the delay will be present for accounts that exist, and not present
for accounts that do not.
One solution for 3.9p1 is to set "ChallengeResponseAuthentication no" and
"PasswordAuthentication yes" in sshd_config, since PasswordAuthentication does
not have this issue.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.