[30007] in bugtraq
Re: OpenSSH/PAM timing attack allows remote users identification
daemon@ATHENA.MIT.EDU (Marco Ivaldi)
Fri May 2 15:12:39 2003
Date: Fri, 2 May 2003 15:48:00 +0200 (CEST)
From: Marco Ivaldi <raptor@mediaservice.net>
To: Michael Shigorin <mike@osdn.org.ua>
In-Reply-To: <20030502131559.GY11315@osdn.org.ua>
Message-ID: <Pine.LNX.4.30L2.0305021528540.32266-100000@dns.mediaservice.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Fri, 2 May 2003, Michael Shigorin wrote:
> Are you talking of CURRENT branch? 4.x use linux-PAM as well.
Yeah, i was talking about FreeBSD-current, where OpenPAM has replaced
LinuxPAM, and new PAM modules have been introduced.
Speaking about FreeBSD 4.x, it doesn't seem to be vulnerable to the big
timing leak described in the advisory, even if doesn't uses the "nodelay"
option in /etc/pam.conf. I've not furtherly investigated this behaviour.
I believe, however, that all systems (FreeBSD included) are vulnerable to
many smaller timing leaks, and not only in OpenSSH. But i guess this is a
known problem.
--
Marco Ivaldi
Chief Security Officer Data Security Division
@ Mediaservice.net Srl http://mediaservice.net/
