Hi guys, and here's a security related bug report. I think it's has been fixed in the 2.2.x-release of openssh, but I'm not sure. I tried to reproduce the problem with my 2.2.0p1 and could find any difference in the behaviour of ssh depending on wether PermitRootLogin was set to no. Could someone please confirm that this problem is not existing anymore?> When PermitRootLogin is set to no in /etc/ssh/sshd_config it should not > be possible to determine whether a root password is correct remotely. > However sshd behaves differently depending on whether the password is > correct.> host% ssh root at localhost > root at localhost's password: [typed the correct password] > Received disconnect: ROOT LOGIN REFUSED FROM localhost> host% ssh root at localhost > root at localhost's password: [typed an incorrect password] > [pauses a second, then prints:] > Permission denied, please try again.Thanks for all your feedback and your great work. Ciao Christian -- Debian Developer and Quality Assurance Team Member 1024/26CC7853 31E6 A8CA 68FC 284F 7D16 63EC A9E6 67FF 26CC 7853
this has been fixed 2000/03/09. On Thu, Dec 28, 2000 at 11:38:43AM +0100, Christian Kurz wrote:> Hi guys, > > and here's a security related bug report. I think it's has been fixed in > the 2.2.x-release of openssh, but I'm not sure. I tried to reproduce the > problem with my 2.2.0p1 and could find any difference in the behaviour > of ssh depending on wether PermitRootLogin was set to no. Could someone > please confirm that this problem is not existing anymore? > > > When PermitRootLogin is set to no in /etc/ssh/sshd_config it should not > > be possible to determine whether a root password is correct remotely. > > However sshd behaves differently depending on whether the password is > > correct. > > > host% ssh root at localhost > > root at localhost's password: [typed the correct password] > > Received disconnect: ROOT LOGIN REFUSED FROM localhost > > > host% ssh root at localhost > > root at localhost's password: [typed an incorrect password] > > [pauses a second, then prints:] > > Permission denied, please try again. > > Thanks for all your feedback and your great work. > > Ciao > Christian > -- > Debian Developer and Quality Assurance Team Member > 1024/26CC7853 31E6 A8CA 68FC 284F 7D16 63EC A9E6 67FF 26CC 7853 >
On Thu, Dec 28, Christian Kurz wrote:> and here's a security related bug report. I think it's has been fixed in > the 2.2.x-release of openssh, but I'm not sure. I tried to reproduce the > problem with my 2.2.0p1 and could find any difference in the behaviour > of ssh depending on wether PermitRootLogin was set to no. Could someone > please confirm that this problem is not existing anymore?I couldn't reproduce this with openssh-2.3.0p1 ... Here's output: root at localhost's password: Permission denied, please try again. root at localhost's password: Permission denied, please try again. root at localhost's password: Unable to find an authentication method Here I gave the right passwd on first try and incorrect passwd on the 2nd/3rd try. -Jarno -- Jarno Huuskonen - System Administrator | Jarno.Huuskonen at uku.fi University of Kuopio - Computer Centre | Work: +358 17 162822 PO BOX 1627, 70211 Kuopio, Finland | Mobile: +358 40 5388169
Hello, I am trying to use openssh with openssl lib on NetBSD. I am not a security expert, thus sending this email to the list. I am not looking for legal advice (which I will contact lawyer), but looking to get general info on what algorithms (such as RC5 etc..) in openssl are used by openssh that may need legal attention. And what are the alternatives ? I see that openssl has some patent issues. It has many ciphers and algorithms: BF_cbc_encrypt, BF_decrypt, BF_encrypt, CAST_cbc_encrypt, CAST_decrypt, CAST_encrypt, RC4, RC5_32_cbc_encrypt, RC5_32_decrypt, RC5_32_encrypt, bn_add_words, bn_div_words, bn_mul_add_words, bn_mul_comba4, bn_mul_comba8, bn_mul_words, bn_sqr_comba4, bn_sqr_comba8, bn_sqr_words, bn_sub_words, des_decrypt3, des_ede3_cbc_encrypt, des_encrypt, des_encrypt2, des_encrypt3, des_ncbc_encrypt, md5_block_asm_host_order, sha1_block_asm_data_order Which of above are legal contenders ? Are BSAFE/RSAREF part of above ? Any information/pointers is appreciated. Thank you. Sunil.