Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. OpenSSH>
  3. Dev
[Galen Hancock <galen@veribox.net>] Information leakage in sshd
phil at hands
Mar 9, 2000, 9:12 AM
Post #1 of 2 (440 views)
Permalink
Hi,

Thought I'd just forward this here, because I don't have time to look
into it right now, and am off skiing next week.

I'd guess that we should be checking for username = ``root'' before
going off to do password checks, and rejecting it on that basis first.

Cheers, Phil.
--
Mind-numbingly stupid UK law alert!
Act now to stop it! http://www.stand.org.uk/

Attached Files:

Re: [Galen Hancock <galen@veribox.net>] Information leakage in sshd [ In reply to ]
markus.friedl at informatik
Mar 9, 2000, 11:48 AM
Post #2 of 2 (433 views)
Permalink
i just commited my fix posted on Feb 17.

On Thu, Mar 09, 2000 at 05:12:02PM +0000, Philip Hands wrote:
> Hi,
>
> Thought I'd just forward this here, because I don't have time to look
> into it right now, and am off skiing next week.
>
> I'd guess that we should be checking for username = ``root'' before
> going off to do password checks, and rejecting it on that basis first.
>
> Cheers, Phil.
> --
> Mind-numbingly stupid UK law alert!
> Act now to stop it! http://www.stand.org.uk/

> Resent-Date: 8 Mar 2000 20:35:57 -0000
> Resent-Cc: recipient list not shown: ;
> Date: Wed, 8 Mar 2000 11:20:39 -0800
> From: Galen Hancock <galen@veribox.net>
> To: security@debian.org, submit@bugs.debian.org
> Subject: Information leakage in sshd
> Gnus-Warning: This is a duplicate of message <20000308112038.O5093@c109854-a.frmt1.sfba.home.com>
> Message-ID: <20000308112038.O5093@c109854-a.frmt1.sfba.home.com>
> Mime-Version: 1.0
> Content-Type: text/plain; charset=us-ascii
> Resent-Message-ID: <0xvpe.A.p4D.rmrx4@murphy>
> Resent-From: debian-private@lists.debian.org
> Resent-Sender: debian-private-request@lists.debian.org
>
> Package: ssh
> Version: 1:1.2.2-1.4
>
> When PermitRootLogin is set to no in /etc/ssh/sshd_config it should not
> be possible to determine whether a root password is correct remotely.
> However sshd behaves differently depending on whether the password is
> correct.
>
> fre-76-51% ssh root@localhost
> root@localhost's password: [typed the correct password]
> Received disconnect: ROOT LOGIN REFUSED FROM localhost
>
> fre-76-51% ssh root@localhost
> root@localhost's password: [typed an incorrect password]
> [pauses a second, then prints:]
> Permission denied, please try again.
>
> Thanks,
> Galen
>
>
> --
> Please respect the privacy of this mailing list.
>
> To UNSUBSCRIBE, email to debian-private-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>
>

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal