[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
Re: OpenSSH 3.9p1-portable PAM Authentication Remote Information Disclosure
- From: Marcus Lauer <marcus lauer nyu edu>
- To: Discussion of the Fedora Legacy Project <fedora-legacy-list redhat com>
- Subject: Re: OpenSSH 3.9p1-portable PAM Authentication Remote Information Disclosure
- Date: 07 Dec 2004 17:21:30 -0500
On Tue, 2004-12-07 at 11:57, Matthew Miller wrote:
> On Tue, Dec 07, 2004 at 08:53:55AM -0700, Michal Jaegermann wrote:
> > On the first glance this looks like a problem which has the
> > following entry in a changelog from openssh-3.1p1-14:
> > * Thu Jun 05 2003 Nalin Dahyabhai <nalin redhat com> 3.1p1-7
> > - backport patch to close timing attacks when PAM authentication is
> > short-circuited by other checks
> > At this iime I am not absolutely sure about that.
>
> That was my first thought too.
>
> In general, this isn't a particularly worrisome issue, since a dictionary
> attack is still required. It just makes the dictionary attack slightly
> easier.
I do hope that somebody fixes this, though. Any bug which
allows a dictionary attack on the root account, unlikely as it is to
work, is still surely a bad thing.
--
Marcus Lauer
Lab Manager for the Curtis Lab
Psychology Department, NYU
Phone: (212)998-8347
http://psych.nyu.edu/curtislab/
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]