CAN-2003-0190 describes a flaw in ssh's password prompt timing which
makes it easy for an attacker to determine if a username exists on a
machine. I've checked and testing and unstable's versions of ssh are
vulnerable. Details and some fixes are in this message: http://marc.theaimsgroup.com/?l=3Dbugtraq&m=3D105172058404810&w=3D2
Feel free to downgrade this bug if you don't feel it's a real security
problem or not RC. I assume upstream must not, since the problem has not
been fixed in over a year. Of course, upstream problably doesn't use ssh
in the vulnerable configuration, with pam.
--=20
see shy jo
--VS++wcV0S1rZb1Fb
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
Message-ID: <email address hidden>
Date: Tue, 16 Nov 2004 15:11:07 -0500
From: Joey Hess <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: timing attack allows attacker to determine valid usernames
--VS++wcV0S1rZb1Fb Disposition: inline Transfer- Encoding: quoted-printable
Content-Type: text/plain; charset=us-ascii
Content-
Content-
Package: ssh
Version: 1:3.8.1p1-8.sarge.2
Severity: serious
Tags: security
CAN-2003-0190 describes a flaw in ssh's password prompt timing which marc.theaimsgro up.com/ ?l=3Dbugtraq& m=3D10517205840 4810&w= 3D2
makes it easy for an attacker to determine if a username exists on a
machine. I've checked and testing and unstable's versions of ssh are
vulnerable. Details and some fixes are in this message:
http://
Feel free to downgrade this bug if you don't feel it's a real security
problem or not RC. I assume upstream must not, since the problem has not
been fixed in over a year. Of course, upstream problably doesn't use ssh
in the vulnerable configuration, with pam.
--=20
see shy jo
--VS++wcV0S1rZb1Fb pgp-signature; name="signature .asc" Description: Digital signature Disposition: inline
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
HehbQuO8RAhQdAJ 9vX7qqeX/ o1omjdtICaEq9lw XhiACfaNou Er0ryN/ o=
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFBml7bd8H
1vS3O884o0cblm2
=U6Mq
-----END PGP SIGNATURE-----
--VS++wcV0S1rZb 1Fb--