ssh security

[Florin Andrei]

On Tue, 2006-01-03 at 11:26 -0500, Michael H. Warfield wrote:

> It's considered axiomatic that security
> systems should NEVER disclose that level of information, even to the
> point of not giving a different error (message or code) for invalid
> password vs invalid account.  Even timing (responding too quickly if the
> account doesn't exist compared to wrong password) is considered a
> SERIOUS no-no.  I would have to consider that sshdfilter a security
> vulnerability, not a security tool.

Fully agree.

Differences in the system's behavior, based on usernames, visible from
outside, are a security issue.

-- 
Florin Andrei

http://florin.myip.org/