When authenting through kerberos (pam_krb5), redhat's sshd will segfault.
There are a couple of bug reports of this in bugzilla, but no coments from redhat so far.
I do not understand why the login process should take longer time than usual.
The security issue, as I understand is that a login request with an invalid username or password
is rejected too fast, that way you can find a valid username, and after that try to find a matching
password. This does not meen that the login process for a real user should be longer, it only meens
that it should take longer time to get a faulty username/password pair rejected.
As for the log messages, I agree with you that. These kind of messages really messes
up the logfile!
/Johan Andersson
Bret Hughes wrote:
On Tue, 2003-08-05 at 06:54, Michael Schwendt wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Mon, 04 Aug 2003 22:22:16 -0600, Ashley M. Kirchner wrote:
While doing updates on my servers, I came across this one and I'm baffled. I always ssh into my primary server and then ssh to the others. I have them all setup to use keys, and normally it just logs in and records this in syslog. However, after rpm updated openssh/openssh-clients/openssh-server to 3.1p1-8 tonight, I'm noticing something odd. When I log in, I see this in the log file:
PAM-warn[1306]: service: sshd [on terminal: NODEVssh] PAM-warn[1306]: user: (uid=0) -> root [remote: [EMAIL PROTECTED] sshd(pam_unix)[1306]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=intra.pcraft.com user=root sshd(pam_unix)[1306]: session opened for user root by (uid=0)
Notice how pam now says it failed authentication, yet it logged me in. Um, what's going on?
See clarifying comment at end of https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=101157
I assume that you are referring to: <snip from bug comments>
If the only solution to the information leak is to have this delay, then so be it. But it seems like this should definitely be a configuration option for those of us who aren't worried about this particular attack (the delay is very annoying). But the bogus authentication failure message is wrong in either case. As others have said, the cure is definitely worse than the disease.
</snip from bug comments>
The irritating thing is that this is CLOSED with a resolution of NOTABUG
I just did this upgrade today on a couple of my internal machines and find this very irritating. As several commenters have done, you can back it out but what happens when there is a real bug that gets fixed later.
Three are indeed two issues as the comments indicate.
1. It takes much longer to login I use dsa type 2 keys and it usually
takes less than a second to get in now it takes closer to three seconds
2. erroneous log messages
I understand a delay in th failing but for an authenticated login? And I am sorry, bogus log messages are not ok. I am about to try the openssh.org rpm since I don't see any discussion about this on the openssh developer or bug list. I am thinking this is a bad backport.
Bret
-- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://www.redhat.com/mailman/listinfo/redhat-list
