Date: Sun, 26 Aug 2018 18:04:50 +1000 (AEST) From: Damien Miller <djm@...drot.org> To: oss-security@...ts.openwall.com Subject: Re: About OpenSSH "user enumeration" / CVE-2018-15473 On Sat, 25 Aug 2018, Solar Designer wrote: > This could mean an extra getpwnam(3) call, which is a slightly greater > timing leak than what's present in one call. That may be further > mitigated by always doing two calls. Of course, this won't be anywhere > near timing-safe anyway. > > Now, it can be tricky to pick a specific fallback username in > OpenSSH-portable that we'd be OK with all non-existent usernames to > behave similarly to. "root" may somewhat likely have unusual password > hash (like it historically did on OpenBSD); "nobody" likely has its > password locked (but maybe that's OK - it is in fact common for SSH > users to have only public keys setup, and no passwords). Maybe there > should be a way to override this dummy username in sshd_config. That sounds like a fair amount of complexity in return for scant benefit: at best you dodge a few (IMO uninteresting) bugs, but now you are guaranteed to have all your authz code exposed to a the attacker. Moreover, using a "real fake" account gives a timing / system behaviour baseline too. It might be harder to discern, but techniques for making remote observations of subtle system side-channels are scarily well- developed, and I'm sure that it would be pretty easy to spot if people applied them. -d
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.