On Tue, Nov 16, 2004 at 03:11:07PM -0500, Joey Hess wrote: > Package: ssh > Version: 1:3.8.1p1-8.sarge.2 > Severity: serious > Tags: security > > CAN-2003-0190 describes a flaw in ssh's password prompt timing which > makes it easy for an attacker to determine if a username exists on a > machine. I've checked and testing and unstable's versions of ssh are > vulnerable. Details and some fixes are in this message: > http://marc.theaimsgroup.com/?l=bugtraq&m=105172058404810&w=2 > > Feel free to downgrade this bug if you don't feel it's a real security > problem or not RC. I assume upstream must not, since the problem has not > been fixed in over a year. Of course, upstream problably doesn't use ssh > in the vulnerable configuration, with pam.
I think it's been somewhat fixed upstream (where upstream == portable), actually: 20040530 [...] - (dtucker) [auth-pam.c] Use an invalid password for root if PermitRootLogin != yes or the login is invalid, to prevent leaking information. Based on Openwall's owl-always-auth patch. ok djm@ However, that's only PAM password authentication, and keyboard-interactive is relevant too. Darren, do you happen to know if kbdint has been fixed in the same way in 3.9p1? I don't see anything obvious in CVS. Thanks, -- Colin Watson [EMAIL PROTECTED]
