bugzilla-daemon at mindrot.org
2003-Jul-01 00:32 UTC
[Bug 611] Unnecessary authentication attempt in auth2-none.c creates delay
http://bugzilla.mindrot.org/show_bug.cgi?id=611
Summary: Unnecessary authentication attempt in auth2-none.c
creates delay
Product: Portable OpenSSH
Version: 3.6.1p2
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: sshd
AssignedTo: openssh-bugs at mindrot.org
ReportedBy: matthewg at zevils.com
The userauth_none function, which is called at the start of every SSH2
connection, attempts to authenticate the user by calling auth_password with an
empty password. In the case where the user's password is not empty, which
will
be the majority of the time, this can create a noticable delay, since many
systems are set up to insert a pause after a failed authentication attempt in
order to prevent brute-force attacks. The attached patch will suppress the
auth_password call in userauth_none if the PermitEmptyPasswords option is turned
off. On my system (Debian GNU/Linux sid), this eliminates a two-second delay in
logging in.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-Jul-01 00:34 UTC
[Bug 611] Unnecessary authentication attempt in auth2-none.c creates delay
http://bugzilla.mindrot.org/show_bug.cgi?id=611 ------- Additional Comments From matthewg at zevils.com 2003-07-01 10:34 ------- Created an attachment (id=351) --> (http://bugzilla.mindrot.org/attachment.cgi?id=351&action=view) Patch to fix the issue Tested against 3.6.1p2, also applies to -current. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-Jul-01 00:37 UTC
[Bug 611] Unnecessary authentication attempt in auth2-none.c creates delay
http://bugzilla.mindrot.org/show_bug.cgi?id=611
mouring at eviladmin.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |WONTFIX
------- Additional Comments From mouring at eviladmin.org 2003-07-01 10:36
-------
Potentally leaks information about user accounts accessiblity.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-Jul-01 00:43 UTC
[Bug 611] Unnecessary authentication attempt in auth2-none.c creates delay
http://bugzilla.mindrot.org/show_bug.cgi?id=611 ------- Additional Comments From matthewg at zevils.com 2003-07-01 10:43 ------- Is there a proper way to fix this bug? My users are complaining about the delay. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.