Philip Hands
2000-Mar-09 17:12 UTC
[Galen Hancock <galen@veribox.net>] Information leakage in sshd
Hi, Thought I'd just forward this here, because I don't have time to look into it right now, and am off skiing next week. I'd guess that we should be checking for username = ``root'' before going off to do password checks, and rejecting it on that basis first. Cheers, Phil. -- Mind-numbingly stupid UK law alert! Act now to stop it! http://www.stand.org.uk/ -------------- next part -------------- An embedded message was scrubbed... From: Galen Hancock <galen at veribox.net> Subject: Information leakage in sshd Date: Wed, 8 Mar 2000 11:20:39 -0800 Size: 1430 Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20000309/7f094309/attachment.mht -------------- next part --------------
Markus Friedl
2000-Mar-09 19:48 UTC
[Galen Hancock <galen@veribox.net>] Information leakage in sshd
i just commited my fix posted on Feb 17. On Thu, Mar 09, 2000 at 05:12:02PM +0000, Philip Hands wrote:> Hi, > > Thought I'd just forward this here, because I don't have time to look > into it right now, and am off skiing next week. > > I'd guess that we should be checking for username = ``root'' before > going off to do password checks, and rejecting it on that basis first. > > Cheers, Phil. > -- > Mind-numbingly stupid UK law alert! > Act now to stop it! http://www.stand.org.uk/> Resent-Date: 8 Mar 2000 20:35:57 -0000 > Resent-Cc: recipient list not shown: ; > Date: Wed, 8 Mar 2000 11:20:39 -0800 > From: Galen Hancock <galen at veribox.net> > To: security at debian.org, submit at bugs.debian.org > Subject: Information leakage in sshd > Gnus-Warning: This is a duplicate of message <20000308112038.O5093 at c109854-a.frmt1.sfba.home.com> > Message-ID: <20000308112038.O5093 at c109854-a.frmt1.sfba.home.com> > Mime-Version: 1.0 > Content-Type: text/plain; charset=us-ascii > Resent-Message-ID: <0xvpe.A.p4D.rmrx4 at murphy> > Resent-From: debian-private at lists.debian.org > Resent-Sender: debian-private-request at lists.debian.org > > Package: ssh > Version: 1:1.2.2-1.4 > > When PermitRootLogin is set to no in /etc/ssh/sshd_config it should not > be possible to determine whether a root password is correct remotely. > However sshd behaves differently depending on whether the password is > correct. > > fre-76-51% ssh root at localhost > root at localhost's password: [typed the correct password] > Received disconnect: ROOT LOGIN REFUSED FROM localhost > > fre-76-51% ssh root at localhost > root at localhost's password: [typed an incorrect password] > [pauses a second, then prints:] > Permission denied, please try again. > > Thanks, > Galen > > > -- > Please respect the privacy of this mailing list. > > To UNSUBSCRIBE, email to debian-private-request at lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmaster at lists.debian.org > > >