openssh unix dev - Aug 2018 - [oss-security] Re: About OpenSSH "user enumeration" / CVE-2018-15473

On Fri, 24 Aug 2018, Solar Designer wrote:
> Hi Damien,
> 
> Thank you for sharing these thoughts with the community.
> 
> On Fri, Aug 24, 2018 at 10:58:20AM +1000, Damien Miller wrote:
> > Finally, and perhaps most importantly: there's a fundamental
tradeoff
> > between attack surface and fixing this class of bug. As a concrete
> > example, fixing this one added about 150 lines of code to our
> > pre-authentication attack surface. In this case, we were willing to do
> > this because we had confidence in the additional parsing, mostly
because
> > it's been reviewed several times and we've conducted a decent
amount of
> > fuzzing on it. But, given the choice between leaving a known account
> > validity oracle or exposing something we don't trust, we'll
choose the
> > former every time.
> 
> Can you summarize for us all (on these mailing lists) the commits
> leading to OpenSSH 7.8 that deal with this issue and add "about 150
> lines of code", please? 
It's this one:
>  * sshd(8): avoid observable differences in request parsing that could
>    be used to determine whether a target user is valid.
(Commit 74287f5df9)

Note that there's no new code added, but delaying the checks means more
code is exposed before the authentication handler bails out.

-d