[10769] in bugtraq
ssh advirsory
daemon@ATHENA.MIT.EDU (altellez@IP6SEGURIDAD.COM)
Wed Jun 9 14:56:37 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <19990609155154.A22258@ip6seguridad.com>
Date: Wed, 9 Jun 1999 15:51:54 +0200
Reply-To: altellez@IP6SEGURIDAD.COM
From: altellez@IP6SEGURIDAD.COM
To: BUGTRAQ@NETSPACE.ORG
Aleph ... Sorry if it is an old bug ...
i have tested a bug in ssh-2.0.12.
any remote attacker can guess real account in the machine
Details
when a ssh client connects to the daemon it has a number ( default
three ) of attempts to guess the correct password before
disconnecting if you try to connect with a correct login, but
you only have once if you try to connect with a no correct login.
EXAMPLE
alfonso is not user ( login ) in 192.168.0.1
$ssh 192.168.0.1 -l alfonso
alfonso's password: <hit ENTER key>
Disconnected; authentication error (Authentication method disabled.).
$
altellez is user ( login ) in 192.168.0.1
$ssh 192.168.0.1 -l altellez
altellez's password: <hit ENTER key>
altellez's password:
Now the remote attacker known that altellez is a true login in
192.168.0.1
QUICK FIX
Edit the file sshd2_config (usually at /etc/ssh2), set the value
of "PasswordGuesses" to 1.
I only has tested it with ssh-2.0.12
--
Saludos.
===========================================================
Alfonso Lazaro Tellez altellez@ip6seguridad.com
Analista de seguridad
IP6Seguridad http://www.ip6seguridad.com
Tfno: +34 91-3430245 C\Alberto Alcocer 5, 1 D
Fax: +34 91-3430294 Madrid ( SPAIN )
===========================================================
