timing attack allows attacker to determine valid usernames
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openssh (Debian) |
Fix Released
|
Unknown
|
|||
openssh (Ubuntu) |
Fix Released
|
High
|
Colin Watson |
Bug Description
Automatically imported from Debian bug report #281595 http://
CVE References
Debian Bug Importer (debzilla) wrote : | #1 |
Debian Bug Importer (debzilla) wrote : | #2 |
Message-ID: <email address hidden>
Date: Tue, 16 Nov 2004 15:11:07 -0500
From: Joey Hess <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: timing attack allows attacker to determine valid usernames
--VS++wcV0S1rZb1Fb
Content-Type: text/plain; charset=us-ascii
Content-
Content-
Package: ssh
Version: 1:3.8.1p1-8.sarge.2
Severity: serious
Tags: security
CAN-2003-0190 describes a flaw in ssh's password prompt timing which
makes it easy for an attacker to determine if a username exists on a
machine. I've checked and testing and unstable's versions of ssh are
vulnerable. Details and some fixes are in this message:
http://
Feel free to downgrade this bug if you don't feel it's a real security
problem or not RC. I assume upstream must not, since the problem has not
been fixed in over a year. Of course, upstream problably doesn't use ssh
in the vulnerable configuration, with pam.
--=20
see shy jo
--VS++wcV0S1rZb1Fb
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFBml7bd8H
1vS3O884o0cblm2
=U6Mq
-----END PGP SIGNATURE-----
--VS++wcV0S1rZb
In Debian Bug tracker #281595, Colin Watson (cjwatson) wrote : Re: Bug#281595: timing attack allows attacker to determine valid usernames | #3 |
On Tue, Nov 16, 2004 at 03:11:07PM -0500, Joey Hess wrote:
> Package: ssh
> Version: 1:3.8.1p1-8.sarge.2
> Severity: serious
> Tags: security
>
> CAN-2003-0190 describes a flaw in ssh's password prompt timing which
> makes it easy for an attacker to determine if a username exists on a
> machine. I've checked and testing and unstable's versions of ssh are
> vulnerable. Details and some fixes are in this message:
> http://
>
> Feel free to downgrade this bug if you don't feel it's a real security
> problem or not RC. I assume upstream must not, since the problem has not
> been fixed in over a year. Of course, upstream problably doesn't use ssh
> in the vulnerable configuration, with pam.
I think it's been somewhat fixed upstream (where upstream == portable),
actually:
20040530
[...]
- (dtucker) [auth-pam.c] Use an invalid password for root if
PermitRootLogin != yes or the login is invalid, to prevent leaking
information. Based on Openwall's owl-always-auth patch. ok djm@
However, that's only PAM password authentication, and
keyboard-
kbdint has been fixed in the same way in 3.9p1? I don't see anything
obvious in CVS.
Thanks,
--
Colin Watson [<email address hidden>]
Debian Bug Importer (debzilla) wrote : | #4 |
Message-ID: <email address hidden>
Date: Fri, 19 Nov 2004 13:45:33 +0000
From: Colin Watson <email address hidden>
To: Joey Hess <email address hidden>, <email address hidden>
Cc: Darren Tucker <email address hidden>
Subject: Re: Bug#281595: timing attack allows attacker to determine valid usernames
On Tue, Nov 16, 2004 at 03:11:07PM -0500, Joey Hess wrote:
> Package: ssh
> Version: 1:3.8.1p1-8.sarge.2
> Severity: serious
> Tags: security
>
> CAN-2003-0190 describes a flaw in ssh's password prompt timing which
> makes it easy for an attacker to determine if a username exists on a
> machine. I've checked and testing and unstable's versions of ssh are
> vulnerable. Details and some fixes are in this message:
> http://
>
> Feel free to downgrade this bug if you don't feel it's a real security
> problem or not RC. I assume upstream must not, since the problem has not
> been fixed in over a year. Of course, upstream problably doesn't use ssh
> in the vulnerable configuration, with pam.
I think it's been somewhat fixed upstream (where upstream == portable),
actually:
20040530
[...]
- (dtucker) [auth-pam.c] Use an invalid password for root if
PermitRootLogin != yes or the login is invalid, to prevent leaking
information. Based on Openwall's owl-always-auth patch. ok djm@
However, that's only PAM password authentication, and
keyboard-
kbdint has been fixed in the same way in 3.9p1? I don't see anything
obvious in CVS.
Thanks,
--
Colin Watson [<email address hidden>]
In Debian Bug tracker #281595, Darren Tucker (dtucker) wrote : | #5 |
Colin Watson wrote:
> 20040530
> [...]
> - (dtucker) [auth-pam.c] Use an invalid password for root if
> PermitRootLogin != yes or the login is invalid, to prevent leaking
> information. Based on Openwall's owl-always-auth patch. ok djm@
>
> However, that's only PAM password authentication, and
> keyboard-
> kbdint has been fixed in the same way in 3.9p1? I don't see anything
> obvious in CVS.
No, it's not fixed in 3.9p1.
The problem is not exactly the same, though. In this case, it's partly
because the keyboard-
all in this case. The first attached patch ought to fix that.
With that fixed, a change to the PAM code is required because it will
complete for a real user with their real password if, eg they are listed
in DenyUsers. This will result in the PAM code getting out of sync with
the kbdint code, resulting in the authentication hanging. The second
patch ought to fix that.
I haven't done much testing of either patch, so please let me know how
they go.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
Debian Bug Importer (debzilla) wrote : | #6 |
Message-ID: <email address hidden>
Date: Sat, 20 Nov 2004 13:51:55 +1100
From: Darren Tucker <email address hidden>
To: Colin Watson <email address hidden>
CC: Joey Hess <email address hidden>, <email address hidden>
Subject: Re: Bug#281595: timing attack allows attacker to determine valid
usernames
-------
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-
Colin Watson wrote:
> 20040530
> [...]
> - (dtucker) [auth-pam.c] Use an invalid password for root if
> PermitRootLogin != yes or the login is invalid, to prevent leaking
> information. Based on Openwall's owl-always-auth patch. ok djm@
>
> However, that's only PAM password authentication, and
> keyboard-
> kbdint has been fixed in the same way in 3.9p1? I don't see anything
> obvious in CVS.
No, it's not fixed in 3.9p1.
The problem is not exactly the same, though. In this case, it's partly
because the keyboard-
all in this case. The first attached patch ought to fix that.
With that fixed, a change to the PAM code is required because it will
complete for a real user with their real password if, eg they are listed
in DenyUsers. This will result in the PAM code getting out of sync with
the kbdint code, resulting in the authentication hanging. The second
patch ought to fix that.
I haven't done much testing of either patch, so please let me know how
they go.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
-------
Content-Type: text/plain;
name="
Content-
Content-
filename=
Index: auth2-chall.c
=======
RCS file: /cvs/src/
retrieving revision 1.21
diff -u -p -r1.21 auth2-chall.c
--- auth2-chall.c 1 Jun 2004 14:20:45 -0000 1.21
+++ auth2-chall.c 6 Jul 2004 12:13:10 -0000
@@ -268,12 +268,9 @@ input_userauth_
}
packet_
- if (authctxt->valid) {
- res = kbdintctxt-
- nresp, response);
- } else {
- res = -1;
- }
+ res = kbdintctxt-
+ if (!authctxt->valid)
+ res = 1; /* keep going if login invalid */
for (i = 0; i < nresp; i++) {
memset(
@@ -285,7 +282,7 @@ input_userauth_
switch (res) {
case 0:
/* Success! */
- authenticated = 1;
+ authenticated = authctxt->valid ? 1 : 0;
break;
case 1:
/* Authentication needs further interaction */
-------
Content-Type: text/plain;
name="
Content-
Content-
filename=
Index: auth-pam.c
=======
In Debian Bug tracker #281595, Colin Watson (cjwatson) wrote : | #7 |
On Sat, Nov 20, 2004 at 01:51:55PM +1100, Darren Tucker wrote:
> No, it's not fixed in 3.9p1.
>
> The problem is not exactly the same, though. In this case, it's partly
> because the keyboard-
> all in this case. The first attached patch ought to fix that.
>
> With that fixed, a change to the PAM code is required because it will
> complete for a real user with their real password if, eg they are listed
> in DenyUsers. This will result in the PAM code getting out of sync with
> the kbdint code, resulting in the authentication hanging. The second
> patch ought to fix that.
>
> I haven't done much testing of either patch, so please let me know how
> they go.
Thanks for this. I've backported these to 3.8.1p1, which didn't have PAM
PasswordAuthent
After a bit more testing I'll upload this to unstable.
Cheers,
--
Colin Watson [<email address hidden>]
Debian Bug Importer (debzilla) wrote : | #8 |
Message-ID: <email address hidden>
Date: Sat, 27 Nov 2004 17:26:50 +0000
From: Colin Watson <email address hidden>
To: Darren Tucker <email address hidden>
Cc: Joey Hess <email address hidden>, <email address hidden>
Subject: Re: Bug#281595: timing attack allows attacker to determine valid usernames
--SLDf9lqlvOQaIe6s
Content-Type: text/plain; charset=us-ascii
Content-
On Sat, Nov 20, 2004 at 01:51:55PM +1100, Darren Tucker wrote:
> No, it's not fixed in 3.9p1.
>
> The problem is not exactly the same, though. In this case, it's partly
> because the keyboard-
> all in this case. The first attached patch ought to fix that.
>
> With that fixed, a change to the PAM code is required because it will
> complete for a real user with their real password if, eg they are listed
> in DenyUsers. This will result in the PAM code getting out of sync with
> the kbdint code, resulting in the authentication hanging. The second
> patch ought to fix that.
>
> I haven't done much testing of either patch, so please let me know how
> they go.
Thanks for this. I've backported these to 3.8.1p1, which didn't have PAM
PasswordAuthent
After a bit more testing I'll upload this to unstable.
Cheers,
--
Colin Watson [<email address hidden>]
--SLDf9lqlvOQaIe6s
Content-Type: text/plain; charset=us-ascii
Content-
Index: auth-pam.c
=======
RCS file: /home/cjwatson/
retrieving revision 1.10
diff -p -u -r1.10 auth-pam.c
--- auth-pam.c 10 Jul 2004 12:36:49 -0000 1.10
+++ auth-pam.c 27 Nov 2004 17:25:56 -0000
@@ -169,6 +169,7 @@ static int sshpam_
static int sshpam_
static char **sshpam_env = NULL;
static Authctxt *sshpam_authctxt = NULL;
+static char badpw[] = "\b\n\r\
/* Some PAM implementations don't implement this */
#ifndef HAVE_PAM_GETENVLIST
@@ -644,7 +645,10 @@ sshpam_respond(void *ctx, u_int num, cha
return (-1);
}
buffer_
- buffer_
+ if (sshpam_
+ buffer_
+ else
+ buffer_
if (ssh_msg_
buffer_
return (-1);
Index: auth2-chall.c
=======
RCS file: /home/cjwatson/
retrieving revision 1.1.1.3
diff -p -u -r1.1.1.3 auth2-chall.c
--- auth2-chall.c 17 Sep 2003 00:31:55 -0000 1.1.1.3
+++ auth2-chall.c 27 Nov 2004 17:25:57 -0000
@@ -275,12 +275,9 @@ input_userauth_
}
packet_
- if (authctxt->valid) {
- res = kbdintctxt-
- nresp, response);
- } else {
- res = -1;
- }
+ res = kbdintctxt-
+ if (!authctxt->valid)
+ res = 1; /* keep going if login invalid */
for (...
In Debian Bug tracker #281595, Colin Watson (cjwatson) wrote : | #9 |
On Sat, Nov 27, 2004 at 05:26:50PM +0000, Colin Watson wrote:
> On Sat, Nov 20, 2004 at 01:51:55PM +1100, Darren Tucker wrote:
> > No, it's not fixed in 3.9p1.
> >
> > The problem is not exactly the same, though. In this case, it's partly
> > because the keyboard-
> > all in this case. The first attached patch ought to fix that.
> >
> > With that fixed, a change to the PAM code is required because it will
> > complete for a real user with their real password if, eg they are listed
> > in DenyUsers. This will result in the PAM code getting out of sync with
> > the kbdint code, resulting in the authentication hanging. The second
> > patch ought to fix that.
> >
> > I haven't done much testing of either patch, so please let me know how
> > they go.
>
> Thanks for this. I've backported these to 3.8.1p1, which didn't have PAM
> PasswordAuthent
> After a bit more testing I'll upload this to unstable.
Here's a further patch on top of your openssh-
which makes sure that attempted root logins when PermitRootLogin is not
set to yes always have the same delay (Debian bug #248747). It's the
same as you did for PAM PasswordAuthent
Cheers,
--
Colin Watson [<email address hidden>]
In Debian Bug tracker #281595, Colin Watson (cjwatson) wrote : | #10 |
On Sun, Nov 28, 2004 at 12:37:11PM +0000, Colin Watson wrote:
> On Sat, Nov 27, 2004 at 05:26:50PM +0000, Colin Watson wrote:
> > Thanks for this. I've backported these to 3.8.1p1, which didn't have PAM
> > PasswordAuthent
> > After a bit more testing I'll upload this to unstable.
>
> Here's a further patch on top of your openssh-
> which makes sure that attempted root logins when PermitRootLogin is not
> set to yes always have the same delay (Debian bug #248747). It's the
> same as you did for PAM PasswordAuthent
... how about I actually attach it?
--
Colin Watson [<email address hidden>]
Debian Bug Importer (debzilla) wrote : | #11 |
Message-ID: <email address hidden>
Date: Sun, 28 Nov 2004 12:37:11 +0000
From: Colin Watson <email address hidden>
To: Darren Tucker <email address hidden>
Cc: Joey Hess <email address hidden>, <email address hidden>,
<email address hidden>
Subject: Re: Bug#281595: timing attack allows attacker to determine valid usernames
On Sat, Nov 27, 2004 at 05:26:50PM +0000, Colin Watson wrote:
> On Sat, Nov 20, 2004 at 01:51:55PM +1100, Darren Tucker wrote:
> > No, it's not fixed in 3.9p1.
> >
> > The problem is not exactly the same, though. In this case, it's partly
> > because the keyboard-
> > all in this case. The first attached patch ought to fix that.
> >
> > With that fixed, a change to the PAM code is required because it will
> > complete for a real user with their real password if, eg they are listed
> > in DenyUsers. This will result in the PAM code getting out of sync with
> > the kbdint code, resulting in the authentication hanging. The second
> > patch ought to fix that.
> >
> > I haven't done much testing of either patch, so please let me know how
> > they go.
>
> Thanks for this. I've backported these to 3.8.1p1, which didn't have PAM
> PasswordAuthent
> After a bit more testing I'll upload this to unstable.
Here's a further patch on top of your openssh-
which makes sure that attempted root logins when PermitRootLogin is not
set to yes always have the same delay (Debian bug #248747). It's the
same as you did for PAM PasswordAuthent
Cheers,
--
Colin Watson [<email address hidden>]
Debian Bug Importer (debzilla) wrote : | #12 |
Message-ID: <email address hidden>
Date: Sun, 28 Nov 2004 12:52:14 +0000
From: Colin Watson <email address hidden>
To: Darren Tucker <email address hidden>
Cc: Joey Hess <email address hidden>, <email address hidden>,
<email address hidden>
Subject: Re: Bug#281595: timing attack allows attacker to determine valid usernames
--G4iJoqBmSsgzjUCe
Content-Type: text/plain; charset=us-ascii
Content-
On Sun, Nov 28, 2004 at 12:37:11PM +0000, Colin Watson wrote:
> On Sat, Nov 27, 2004 at 05:26:50PM +0000, Colin Watson wrote:
> > Thanks for this. I've backported these to 3.8.1p1, which didn't have PAM
> > PasswordAuthent
> > After a bit more testing I'll upload this to unstable.
>
> Here's a further patch on top of your openssh-
> which makes sure that attempted root logins when PermitRootLogin is not
> set to yes always have the same delay (Debian bug #248747). It's the
> same as you did for PAM PasswordAuthent
... how about I actually attach it?
--
Colin Watson [<email address hidden>]
--G4iJoqBmSsgzjUCe
Content-Type: text/plain; charset=us-ascii
Content-
Index: auth-pam.c
=======
RCS file: /home/cjwatson/
retrieving revision 1.11
diff -p -u -r1.11 auth-pam.c
--- auth-pam.c 28 Nov 2004 12:31:03 -0000 1.11
+++ auth-pam.c 28 Nov 2004 12:33:20 -0000
@@ -645,7 +645,9 @@ sshpam_respond(void *ctx, u_int num, cha
return (-1);
}
buffer_
- if (sshpam_
+ if (sshpam_
+ (sshpam_
+ options.
buffer_
else
buffer_
--G4iJoqBmSsgzj
In Debian Bug tracker #281595, Colin Watson (cjwatson) wrote : Bug#281595: fixed in openssh 1:3.8.1p1-8.sarge.4 | #13 |
Source: openssh
Source-Version: 1:3.8.1p1-8.sarge.4
We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive:
openssh-
to pool/main/
openssh-
to pool/main/
openssh_
to pool/main/
openssh_
to pool/main/
ssh-askpass-
to pool/main/
ssh_3.8.
to pool/main/
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <email address hidden> (supplier of updated openssh package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 28 Nov 2004 12:37:16 +0000
Source: openssh
Binary: ssh-askpass-gnome openssh-client-udeb ssh openssh-server-udeb
Architecture: source powerpc
Version: 1:3.8.1p1-8.sarge.4
Distribution: unstable
Urgency: high
Maintainer: Matthew Vernon <email address hidden>
Changed-By: Colin Watson <email address hidden>
Description:
openssh-
openssh-
ssh - Secure rlogin/rsh/rcp replacement (OpenSSH)
ssh-askpass-gnome - under X, asks user for a passphrase for ssh-add
Closes: 248747 281595
Changes:
openssh (1:3.8.
.
* Fix timing information leak allowing discovery of invalid usernames in
PAM keyboard-
Darren Tucker; closes: #281595).
* Make sure that there's a delay in PAM keyboard-
authentication when PermitRootLogin is not set to yes and the correct
root password is entered (closes: #248747).
Files:
8ad7931d85460a
187b8455948c18
ef7b58119f1f6d
70e71d02d5370a
cb5fd04403ea90
9cd11fbcd1bcf3
-----BEGIN PGP SIGNATURE-----
Version: GnuPG ...
Debian Bug Importer (debzilla) wrote : | #14 |
Message-Id: <email address hidden>
Date: Sun, 28 Nov 2004 09:32:17 -0500
From: Colin Watson <email address hidden>
To: <email address hidden>
Subject: Bug#281595: fixed in openssh 1:3.8.1p1-8.sarge.4
Source: openssh
Source-Version: 1:3.8.1p1-8.sarge.4
We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive:
openssh-
to pool/main/
openssh-
to pool/main/
openssh_
to pool/main/
openssh_
to pool/main/
ssh-askpass-
to pool/main/
ssh_3.8.
to pool/main/
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <email address hidden> (supplier of updated openssh package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 28 Nov 2004 12:37:16 +0000
Source: openssh
Binary: ssh-askpass-gnome openssh-client-udeb ssh openssh-server-udeb
Architecture: source powerpc
Version: 1:3.8.1p1-8.sarge.4
Distribution: unstable
Urgency: high
Maintainer: Matthew Vernon <email address hidden>
Changed-By: Colin Watson <email address hidden>
Description:
openssh-
openssh-
ssh - Secure rlogin/rsh/rcp replacement (OpenSSH)
ssh-askpass-gnome - under X, asks user for a passphrase for ssh-add
Closes: 248747 281595
Changes:
openssh (1:3.8.
.
* Fix timing information leak allowing discovery of invalid usernames in
PAM keyboard-
Darren Tucker; closes: #281595).
* Make sure that there's a delay in PAM keyboard-
authentication when PermitRootLogin is not set to yes and the correct
root password is entered (closes: #248747).
Files:
8ad7931d85460a
187b8455948c18
ef7b58119f1f6d
70e71d02d5370a
cb5fd04403ea90
In Debian Bug tracker #281595, Colin Watson (cjwatson) wrote : Fixed in upload of openssh 1:3.8.1p1-14 to experimental | #15 |
tag 248747 + fixed-in-
tag 281595 + fixed-in-
quit
This message was generated automatically in response to an
upload to the experimental distribution. The .changes file follows.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 28 Nov 2004 18:09:37 +0000
Source: openssh
Binary: ssh-askpass-gnome openssh-client-udeb ssh openssh-server openssh-client openssh-server-udeb
Architecture: source powerpc all
Version: 1:3.8.1p1-14
Distribution: experimental
Urgency: low
Maintainer: Matthew Vernon <email address hidden>
Changed-By: Colin Watson <email address hidden>
Description:
openssh-client - Secure shell client, an rlogin/rsh/rcp replacement
openssh-
openssh-server - Secure shell server, an rshd replacement
openssh-
ssh - Secure shell client and server (transitional package)
ssh-askpass-gnome - under X, asks user for a passphrase for ssh-add
Closes: 248747 281595
Changes:
openssh (1:3.8.1p1-14) experimental; urgency=low
.
* We use DH_COMPAT=2, so build-depend on debhelper (>= 2).
* Fix timing information leak allowing discovery of invalid usernames in
PAM keyboard-
Darren Tucker; closes: #281595).
* Make sure that there's a delay in PAM keyboard-
authentication when PermitRootLogin is not set to yes and the correct
root password is entered (closes: #248747).
Files:
7f92eb12092978
6f21d2b109d0e9
112790dd3da193
4e94f0941d4766
b2207bcaf70a8d
a901c6976460b1
67235e32630c69
c2e81d377b8164
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Colin Watson <email address hidden> -- Debian developer
iD8DBQFBqhZg9t0
ziSLHeWBDfeaXDL
=8sSx
-----END PGP SIGNATURE-----
Debian Bug Importer (debzilla) wrote : | #16 |
Message-Id: <email address hidden>
Date: Sun, 28 Nov 2004 13:32:07 -0500
From: Colin Watson <email address hidden>
To: <email address hidden>
Cc: Colin Watson <email address hidden>, Matthew Vernon <email address hidden>
Subject: Fixed in upload of openssh 1:3.8.1p1-14 to experimental
tag 248747 + fixed-in-
tag 281595 + fixed-in-
quit
This message was generated automatically in response to an
upload to the experimental distribution. The .changes file follows.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 28 Nov 2004 18:09:37 +0000
Source: openssh
Binary: ssh-askpass-gnome openssh-client-udeb ssh openssh-server openssh-client openssh-server-udeb
Architecture: source powerpc all
Version: 1:3.8.1p1-14
Distribution: experimental
Urgency: low
Maintainer: Matthew Vernon <email address hidden>
Changed-By: Colin Watson <email address hidden>
Description:
openssh-client - Secure shell client, an rlogin/rsh/rcp replacement
openssh-
openssh-server - Secure shell server, an rshd replacement
openssh-
ssh - Secure shell client and server (transitional package)
ssh-askpass-gnome - under X, asks user for a passphrase for ssh-add
Closes: 248747 281595
Changes:
openssh (1:3.8.1p1-14) experimental; urgency=low
.
* We use DH_COMPAT=2, so build-depend on debhelper (>= 2).
* Fix timing information leak allowing discovery of invalid usernames in
PAM keyboard-
Darren Tucker; closes: #281595).
* Make sure that there's a delay in PAM keyboard-
authentication when PermitRootLogin is not set to yes and the correct
root password is entered (closes: #248747).
Files:
7f92eb12092978
6f21d2b109d0e9
112790dd3da193
4e94f0941d4766
b2207bcaf70a8d
a901c6976460b1
67235e32630c69
c2e81d377b8164
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Colin Watson <email address hidden> -- Debian developer
iD8DBQFBqhZg9t0
ziSLHeWBDfeaXDL
=8sSx
-----END PGP SIGNATURE-----
Colin Watson (cjwatson) wrote : | #17 |
openssh (1:3.8.
* Resynchronise with Debian.
-- Colin Watson <email address hidden> Mon, 29 Nov 2004 11:27:15 +0000
openssh (1:3.8.1p1-14) experimental; urgency=low
* We use DH_COMPAT=2, so build-depend on debhelper (>= 2).
* Fix timing information leak allowing discovery of invalid usernames in
PAM keyboard-
Darren Tucker; closes: #281595).
* Make sure that there's a delay in PAM keyboard-
authentication when PermitRootLogin is not set to yes and the correct
root password is entered (closes: #248747).
-- Colin Watson <email address hidden> Sun, 28 Nov 2004 18:09:37 +0000
Changed in openssh: | |
status: | Unknown → Fix Released |
Automatically imported from Debian bug report #281595 http:// bugs.debian. org/281595