Ubuntu
openssh package

  1. Bug #10334
  2. Comment #10

Comment 10 for bug 10334

Revision history for this message
In , Colin Watson (cjwatson) wrote : Re: Bug#281595: timing attack allows attacker to determine valid usernames

On Sun, Nov 28, 2004 at 12:37:11PM +0000, Colin Watson wrote:
> On Sat, Nov 27, 2004 at 05:26:50PM +0000, Colin Watson wrote:
> > Thanks for this. I've backported these to 3.8.1p1, which didn't have PAM
> > PasswordAuthentication; the patch is attached. It seems to work for me.
> > After a bit more testing I'll upload this to unstable.
>
> Here's a further patch on top of your openssh-pam-kbdint-leak.patch
> which makes sure that attempted root logins when PermitRootLogin is not
> set to yes always have the same delay (Debian bug #248747). It's the
> same as you did for PAM PasswordAuthentication.

... how about I actually attach it?

--
Colin Watson [<email address hidden>]