Hi everyone, I created a patch for CVE-2018-15919, "user enumeration via auth2-gss.c" (even though it is not user enumeration). While this patch appears to fix the problem, at least from my small amount of testing, I can't be sure that I am not introducing a new bug or a new security hole. Hopefully some people who are more knowledgeable can take a look. The fix is two parts: 1) When a valid username is presented, sshd responds with SSH_MSG_USERAUTH_INFO_REQUEST. Otherwise, sshd responds with SSH_MSG_USERAUTH_FAILURE. My solution to this is to remove the code that presents the SSH_MSG_USERAUTH_FAILURE when an invalid username is presented. The expectation is that the login will be invalidated if/when the gssapi credentials are presented later. 2) The failure count is not incremented when a valid username is presented, but credentials are not. I created an interim value, was_postponed, that records the value of postponed so that when postponed is reset and the authentication is checked it can be used to determine whether the failure count can be increased. I hope that you will find this useful. --Thanks, --Jason Sikes -------------- next part -------------- A non-text attachment was scrubbed... Name: openssh-7.6p1-prevent_gssapi_username_oracle.patch Type: text/x-patch Size: 1288 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20190228/9c16f863/attachment.bin> -------------- next part -------------- A non-text attachment was scrubbed... Name: pEpkey.asc Type: application/pgp-keys Size: 1753 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20190228/9c16f863/attachment-0001.bin>