bugzilla-daemon at mindrot.org
2003-Jul-01 00:32 UTC
[Bug 611] Unnecessary authentication attempt in auth2-none.c creates delay
http://bugzilla.mindrot.org/show_bug.cgi?id=611 Summary: Unnecessary authentication attempt in auth2-none.c creates delay Product: Portable OpenSSH Version: 3.6.1p2 Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-bugs at mindrot.org ReportedBy: matthewg at zevils.com The userauth_none function, which is called at the start of every SSH2 connection, attempts to authenticate the user by calling auth_password with an empty password. In the case where the user's password is not empty, which will be the majority of the time, this can create a noticable delay, since many systems are set up to insert a pause after a failed authentication attempt in order to prevent brute-force attacks. The attached patch will suppress the auth_password call in userauth_none if the PermitEmptyPasswords option is turned off. On my system (Debian GNU/Linux sid), this eliminates a two-second delay in logging in. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-Jul-01 00:34 UTC
[Bug 611] Unnecessary authentication attempt in auth2-none.c creates delay
http://bugzilla.mindrot.org/show_bug.cgi?id=611 ------- Additional Comments From matthewg at zevils.com 2003-07-01 10:34 ------- Created an attachment (id=351) --> (http://bugzilla.mindrot.org/attachment.cgi?id=351&action=view) Patch to fix the issue Tested against 3.6.1p2, also applies to -current. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-Jul-01 00:37 UTC
[Bug 611] Unnecessary authentication attempt in auth2-none.c creates delay
http://bugzilla.mindrot.org/show_bug.cgi?id=611 mouring at eviladmin.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |WONTFIX ------- Additional Comments From mouring at eviladmin.org 2003-07-01 10:36 ------- Potentally leaks information about user accounts accessiblity. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-Jul-01 00:43 UTC
[Bug 611] Unnecessary authentication attempt in auth2-none.c creates delay
http://bugzilla.mindrot.org/show_bug.cgi?id=611 ------- Additional Comments From matthewg at zevils.com 2003-07-01 10:43 ------- Is there a proper way to fix this bug? My users are complaining about the delay. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.