ssh security
Florin Andrei
florin at andrei.myip.org
Tue Jan 3 23:21:12 UTC 2006
On Tue, 2006-01-03 at 11:26 -0500, Michael H. Warfield wrote:
> It's considered axiomatic that security
> systems should NEVER disclose that level of information, even to the
> point of not giving a different error (message or code) for invalid
> password vs invalid account. Even timing (responding too quickly if the
> account doesn't exist compared to wrong password) is considered a
> SERIOUS no-no. I would have to consider that sshdfilter a security
> vulnerability, not a security tool.
Fully agree.
Differences in the system's behavior, based on usernames, visible from
outside, are a security issue.
--
Florin Andrei
http://florin.myip.org/
More information about the fedora-list
mailing list