OpenSSH 3.9p1-portable PAM Authentication Remote Information Disclosure
Matthew Miller
mattdm at mattdm.org
Tue Dec 7 16:57:19 UTC 2004
On Tue, Dec 07, 2004 at 08:53:55AM -0700, Michal Jaegermann wrote:
> On the first glance this looks like a problem which has the
> following entry in a changelog from openssh-3.1p1-14:
> * Thu Jun 05 2003 Nalin Dahyabhai <nalin at redhat.com> 3.1p1-7
> - backport patch to close timing attacks when PAM authentication is
> short-circuited by other checks
> At this iime I am not absolutely sure about that.
That was my first thought too.
In general, this isn't a particularly worrisome issue, since a dictionary
attack is still required. It just makes the dictionary attack slightly
easier.
--
Matthew Miller mattdm at mattdm.org <http://www.mattdm.org/>
Boston University Linux ------> <http://linux.bu.edu/>
More information about the fedora-legacy-list
mailing list