[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: OpenSSH 3.9p1-portable PAM Authentication Remote Information Disclosure

From: Matthew Miller <mattdm mattdm org>
To: Discussion of the Fedora Legacy Project <fedora-legacy-list redhat com>
Subject: Re: OpenSSH 3.9p1-portable PAM Authentication Remote Information Disclosure
Date: Tue, 7 Dec 2004 11:57:19 -0500

On Tue, Dec 07, 2004 at 08:53:55AM -0700, Michal Jaegermann wrote:
> On the first glance this looks like a problem which has the
> following entry in a changelog from openssh-3.1p1-14:
> * Thu Jun 05 2003 Nalin Dahyabhai <nalin redhat com> 3.1p1-7
> - backport patch to close timing attacks when PAM authentication is
>   short-circuited by other checks
> At this iime I am not absolutely sure about that.

That was my first thought too.

In general, this isn't a particularly worrisome issue, since a dictionary
attack is still required. It just makes the dictionary attack slightly
easier.

-- 
Matthew Miller           mattdm mattdm org        <http://www.mattdm.org/>
Boston University Linux      ------>                <http://linux.bu.edu/>

Follow-Ups:
- Re: OpenSSH 3.9p1-portable PAM Authentication Remote Information Disclosure
  - From: Marcus Lauer

References:
- OpenSSH 3.9p1-portable PAM Authentication Remote Information Disclosure
  - From: John Dalbec
- Re: OpenSSH 3.9p1-portable PAM Authentication Remote Information Disclosure
  - From: Michal Jaegermann

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]