Message-ID: <email address hidden>
Date: Sun, 28 Nov 2004 12:37:11 +0000
From: Colin Watson <email address hidden>
To: Darren Tucker <email address hidden>
Cc: Joey Hess <email address hidden>, <email address hidden>,
<email address hidden>
Subject: Re: Bug#281595: timing attack allows attacker to determine valid usernames
On Sat, Nov 27, 2004 at 05:26:50PM +0000, Colin Watson wrote:
> On Sat, Nov 20, 2004 at 01:51:55PM +1100, Darren Tucker wrote:
> > No, it's not fixed in 3.9p1.
> >
> > The problem is not exactly the same, though. In this case, it's partly
> > because the keyboard-interactive code doesn't call the kbdint driver at
> > all in this case. The first attached patch ought to fix that.
> >
> > With that fixed, a change to the PAM code is required because it will
> > complete for a real user with their real password if, eg they are listed
> > in DenyUsers. This will result in the PAM code getting out of sync with
> > the kbdint code, resulting in the authentication hanging. The second
> > patch ought to fix that.
> >
> > I haven't done much testing of either patch, so please let me know how
> > they go.
>
> Thanks for this. I've backported these to 3.8.1p1, which didn't have PAM
> PasswordAuthentication; the patch is attached. It seems to work for me.
> After a bit more testing I'll upload this to unstable.
Here's a further patch on top of your openssh-pam-kbdint-leak.patch
which makes sure that attempted root logins when PermitRootLogin is not
set to yes always have the same delay (Debian bug #248747). It's the
same as you did for PAM PasswordAuthentication.
Message-ID: <email address hidden>
Date: Sun, 28 Nov 2004 12:37:11 +0000
From: Colin Watson <email address hidden>
To: Darren Tucker <email address hidden>
Cc: Joey Hess <email address hidden>, <email address hidden>,
<email address hidden>
Subject: Re: Bug#281595: timing attack allows attacker to determine valid usernames
On Sat, Nov 27, 2004 at 05:26:50PM +0000, Colin Watson wrote: interactive code doesn't call the kbdint driver at ication; the patch is attached. It seems to work for me.
> On Sat, Nov 20, 2004 at 01:51:55PM +1100, Darren Tucker wrote:
> > No, it's not fixed in 3.9p1.
> >
> > The problem is not exactly the same, though. In this case, it's partly
> > because the keyboard-
> > all in this case. The first attached patch ought to fix that.
> >
> > With that fixed, a change to the PAM code is required because it will
> > complete for a real user with their real password if, eg they are listed
> > in DenyUsers. This will result in the PAM code getting out of sync with
> > the kbdint code, resulting in the authentication hanging. The second
> > patch ought to fix that.
> >
> > I haven't done much testing of either patch, so please let me know how
> > they go.
>
> Thanks for this. I've backported these to 3.8.1p1, which didn't have PAM
> PasswordAuthent
> After a bit more testing I'll upload this to unstable.
Here's a further patch on top of your openssh- pam-kbdint- leak.patch ication.
which makes sure that attempted root logins when PermitRootLogin is not
set to yes always have the same delay (Debian bug #248747). It's the
same as you did for PAM PasswordAuthent
Cheers,
--
Colin Watson [<email address hidden>]