openssh unix dev - Dec 2001 - openssh reveals existing accounts?

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=57859

There's a method to see if an account exists or not: if it does exist,
and the password fails, there's a small delay before getting the prompt
again. But if it doesn't, the password prompt returns immediately.
Looks like a bug... :o)

-- 
Florin Andrei

Linux Is Not "gnU linuX"


---------------------------------------------------------------------
To unsubscribe, e-mail: secureshell-unsubscribe at securityfocus.com
For additional commands, e-mail: secureshell-help at securityfocus.com

On Fri, Dec 28, 2001 at 11:28:56AM -0800, Florin Andrei
wrote:
> On Fri, 2001-12-28 at 11:18, Markus Friedl wrote:
> > On Fri, Dec 28, 2001 at 11:14:35AM -0800, Florin Andrei wrote:
> > > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=57859
> > > 
> > > There's a method to see if an account exists or not: if it
does exist,
> > > and the password fails, there's a small delay before getting
the prompt
> > > again. But if it doesn't, the password prompt returns
immediately.
> > 
> > i doubt this.
> 
> I would certainly believe you, but i prefer to believe my own eyes. :-)
> See the link in my message for details.
you report is lacking details.

this all depends on the speed of crypt() on the target system.

also,
	When you login by ssh to a host and the password fails, there's
	a small delay before getting the password prompt again, which
	prevents bruteforce attacks.
is wrong, this has nothing to do with bruteforce prevention.

-m