openssh unix dev - Sep 2005 - Permission denied message and leak with it

Hello All,

I am using OpenSSH 4.x versions. If I try to ssh to a system with a user 
account and if all my auth methods fails, the client side gets the following 
message.

Permission denied (publickey,password,keyboard-interactive).

This looks like an information leak, where a malicious user can detect all 
the allowed authmethods on the server system.  I would like to know if there 
are some reasons for giving these informations out.


Thanks,
Senthil Kumar.

On Thu, Sep 22, 2005 at 02:58:08PM +0530, Senthil Kumar
wrote:
> I am using OpenSSH 4.x versions. If I try to ssh to a system with a user 
> account and if all my auth methods fails, the client side gets the
following
> message.
> 
> Permission denied (publickey,password,keyboard-interactive).
> 
> This looks like an information leak, where a malicious user can detect all 
> the allowed authmethods on the server system.  I would like to know if
there
> are some reasons for giving these informations out.
Yes, it's part of the SSHv2 protocol spec.

Have a browse of
http://www.ietf.org/internet-drafts/draft-ietf-secsh-userauth-27.txt
and look for "authentications that can continue".

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.