Dear all People have been complaining for too long that timings attacks are possible because of the way OpenSSH responds to keyboard-interactive authentication.
With the variance in the delay of response, it makes it obvious whether the username it tries to authenticate indeed exists on the remote machine or not. A few days ago De Raadt sent an email to BUQTRAQ blaming this information leakage to PAM. So, one would expect that the directive UsePAM in the sshd configuration file would help one get around this issue. But although I have "UsePam no", I still see the same behavior (variance in response time). Can this be resolved somehow? Cheers -A -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]