OpenSSH 3.9p1-portable PAM Authentication Remote Information Disclosure
Marcus Lauer
marcus.lauer at nyu.edu
Tue Dec 7 22:21:30 UTC 2004
On Tue, 2004-12-07 at 11:57, Matthew Miller wrote:
> On Tue, Dec 07, 2004 at 08:53:55AM -0700, Michal Jaegermann wrote:
> > On the first glance this looks like a problem which has the
> > following entry in a changelog from openssh-3.1p1-14:
> > * Thu Jun 05 2003 Nalin Dahyabhai <nalin at redhat.com> 3.1p1-7
> > - backport patch to close timing attacks when PAM authentication is
> > short-circuited by other checks
> > At this iime I am not absolutely sure about that.
>
> That was my first thought too.
>
> In general, this isn't a particularly worrisome issue, since a dictionary
> attack is still required. It just makes the dictionary attack slightly
> easier.
I do hope that somebody fixes this, though. Any bug which
allows a dictionary attack on the root account, unlikely as it is to
work, is still surely a bad thing.
--
Marcus Lauer
Lab Manager for the Curtis Lab
Psychology Department, NYU
Phone: (212)998-8347
http://psych.nyu.edu/curtislab/
More information about the fedora-legacy-list
mailing list