[10779] in bugtraq
Re: ssh advirsory
daemon@ATHENA.MIT.EDU (Jeff Long)
Thu Jun 10 14:44:10 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <375ECD3B.C982EF52@kestrel.cc.ukans.edu>
Date: Wed, 9 Jun 1999 15:23:23 -0500
Reply-To: Jeff Long <long@KESTREL.CC.UKANS.EDU>
From: Jeff Long <long@KESTREL.CC.UKANS.EDU>
To: BUGTRAQ@NETSPACE.ORG
altellez@IP6SEGURIDAD.COM wrote:
>
> Aleph ... Sorry if it is an old bug ...
>
>
> i have tested a bug in ssh-2.0.12.
>
> any remote attacker can guess real account in the machine
>
> Details
>
> when a ssh client connects to the daemon it has a number ( default
> three ) of attempts to guess the correct password before
> disconnecting if you try to connect with a correct login, but
> you only have once if you try to connect with a no correct login.
>
> EXAMPLE
>
> alfonso is not user ( login ) in 192.168.0.1
>
>
> $ssh 192.168.0.1 -l alfonso
> alfonso's password: <hit ENTER key>
>
> Disconnected; authentication error (Authentication method disabled.).
> $
Interesting, in my installation of 2.0.13 I don't even get one chance to
enter a password when I use a login with no account on the machine:
long@somehost[15:18:44]~ $ slogin -l jkashrj somehost
Disconnected; authentication error (No further authentication methods
available.).
long@somehost[15:19:07]~ $
Perhaps a misconfiguration on my part but I'd say that is bad behavior.
Jeff Long
