Comment 12 for bug 10334

Message-ID: <email address hidden>
Date: Sun, 28 Nov 2004 12:52:14 +0000
From: Colin Watson <email address hidden>
To: Darren Tucker <email address hidden>
Cc: Joey Hess <email address hidden>, <email address hidden>,
 <email address hidden>
Subject: Re: Bug#281595: timing attack allows attacker to determine valid usernames

--G4iJoqBmSsgzjUCe
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Sun, Nov 28, 2004 at 12:37:11PM +0000, Colin Watson wrote:
> On Sat, Nov 27, 2004 at 05:26:50PM +0000, Colin Watson wrote:
> > Thanks for this. I've backported these to 3.8.1p1, which didn't have PAM
> > PasswordAuthentication; the patch is attached. It seems to work for me.
> > After a bit more testing I'll upload this to unstable.
>
> Here's a further patch on top of your openssh-pam-kbdint-leak.patch
> which makes sure that attempted root logins when PermitRootLogin is not
> set to yes always have the same delay (Debian bug #248747). It's the
> same as you did for PAM PasswordAuthentication.

... how about I actually attach it?

--
Colin Watson [<email address hidden>]

--G4iJoqBmSsgzjUCe
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="openssh-root-delay.patch"

Index: auth-pam.c
===================================================================
RCS file: /home/cjwatson/cvs/openssh/openssh/auth-pam.c,v
retrieving revision 1.11
diff -p -u -r1.11 auth-pam.c
--- auth-pam.c 28 Nov 2004 12:31:03 -0000 1.11
+++ auth-pam.c 28 Nov 2004 12:33:20 -0000
@@ -645,7 +645,9 @@ sshpam_respond(void *ctx, u_int num, cha
   return (-1);
  }
  buffer_init(&buffer);
- if (sshpam_authctxt->valid)
+ if (sshpam_authctxt->valid &&
+ (sshpam_authctxt->pw->pw_uid != 0 ||
+ options.permit_root_login == PERMIT_YES))
   buffer_put_cstring(&buffer, *resp);
  else
   buffer_put_cstring(&buffer, badpw);

--G4iJoqBmSsgzjUCe--