bugs.debian.org
Open in
urlscan Pro
2607:f8f0:614:1::1274:39
Public Scan
Submitted URL: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=248747
Effective URL: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=248747
Submission: On January 22 via api from FR — Scanned from CA
Effective URL: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=248747
Submission: On January 22 via api from FR — Scanned from CA
Form analysis 0 forms found in the DOM
Text Content
DEBIAN BUG REPORT LOGS - #248747
SSHD: NO DELAY ON SUCCESSFUL ROOT LOGIN WITH PERMITROOT = NO
Package: ssh; Maintainer for ssh is Debian OpenSSH Maintainers
<debian-ssh@lists.debian.org>; Source for ssh is src:openssh (PTS, buildd,
popcon).
Reported by: Ashar Voultoiz <thoane@altern.org>
Date: Wed, 12 May 2004 23:18:01 UTC
Severity: serious
Tags: fixed-in-experimental
Found in version 1:3.8p1-3
Fixed in version openssh/1:3.8.1p1-8.sarge.4
Done: Colin Watson <cjwatson@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
View this report as an mbox folder, status mbox, maintainer mbox
--------------------------------------------------------------------------------
Report forwarded to debian-bugs-dist@lists.debian.org, Matthew Vernon
<matthew@debian.org>:
Bug#248747; Package ssh. (full text, mbox, link).
--------------------------------------------------------------------------------
Acknowledgement sent to Ashar Voultoiz <thoane@altern.org>:
New Bug report received and forwarded. Copy sent to Matthew Vernon
<matthew@debian.org>. (full text, mbox, link).
--------------------------------------------------------------------------------
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
From: Ashar Voultoiz <thoane@altern.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: sshd: no delay on successful root login with permitroot = no
Date: Thu, 13 May 2004 01:02:07 +0200
Package: ssh
Version: 1:3.8p1-3
Severity: normal
Hello,
I found this bug and googled for it to get more informations, The
following link is a security advisory mentionning it::
http://lab.mediaservice.net/advisory/2003-01-openssh.txt
Basicly, if user root is not authorized to connect to ssh, if you enter
the correct password you will have no delay before the "password:"
prompt is shown again.
An attacker could then bruteforce the ssh login and just time the server
answer, if the answer is fastly given back, the password tried is the
correct one.
Many thanks for maintning this package btw, it works well :o)
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.4.25-1-k7
Locale: LANG=C, LC_CTYPE=C
Versions of packages ssh depends on:
ii adduser 3.52 Add and remove users and groups
ii debconf 1.4.22 Debian configuration management sy
ii dpkg 1.10.21 Package maintenance system for Deb
ii libc6 2.3.2.ds1-12 GNU C Library: Shared libraries an
ii libpam-modules 0.76-19 Pluggable Authentication Modules f
ii libpam-runtime 0.76-19 Runtime support for the PAM librar
ii libpam0g 0.76-19 Pluggable Authentication Modules l
ii libssl0.9.7 0.9.7d-1 SSL shared libraries
ii libwrap0 7.6.dbs-3 Wietse Venema's TCP wrappers libra
ii zlib1g 1:1.2.1-5 compression library - runtime
-- debconf information:
* ssh/privsep_tell:
ssh/insecure_rshd:
ssh/privsep_ask: true
ssh/ssh2_keys_merged:
* ssh/user_environment_tell:
* ssh/forward_warning:
ssh/insecure_telnetd:
ssh/new_config: true
* ssh/use_old_init_script: true
* ssh/protocol2_only: true
ssh/encrypted_host_key_but_no_keygen:
* ssh/run_sshd: true
* ssh/SUID_client: true
--------------------------------------------------------------------------------
Information forwarded to debian-bugs-dist@lists.debian.org, Matthew Vernon
<matthew@debian.org>:
Bug#248747; Package ssh. (full text, mbox, link).
--------------------------------------------------------------------------------
Acknowledgement sent to Ashar Voultoiz <thoane@altern.org>:
Extra info received and forwarded to list. Copy sent to Matthew Vernon
<matthew@debian.org>. (full text, mbox, link).
--------------------------------------------------------------------------------
Message #10 received at 248747@bugs.debian.org (full text, mbox, reply):
From: Ashar Voultoiz <thoane@altern.org>
To: 248747@bugs.debian.org
Subject: [Fwd: Re: minor: no delay for root login with PermitRootLogin no]
Date: Thu, 13 May 2004 02:05:30 +0200
Please find below the answer I received from openssh devs:
Date: Mon, 10 May 2004 11:07:52 +1000
From: Darren Tucker <dtucker@zip.com.au>
To: thoane@altern.org
CC: openssh@openssh.com
Subject: Re: minor: no delay for root login with PermitRootLogin no
References: <200405091751.i49HphaM029482@cvs.openbsd.org>
In-Reply-To: <200405091751.i49HphaM029482@cvs.openbsd.org>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Status:
thoane@altern.org wrote:
> OpenSSH_3.8p1 Debian 1:3.8p1-3, SSH protocols 1.5/2.0, OpenSSL 0.9.7d
17 Mar 2004
> # sshd -V 2>&1 | grep version
> sshd version OpenSSH_3.8p1 Debian 1:3.8p1-3, OpenSSL 0.9.7d 17 Mar 2004
>
> My sshd is configured to refuse root login with the configuration key:
> PermitRootLogin no
> I mean, there isn't any "sleep time" like it's the case when I enter
a bad password.
For a bad password, the delay is provided by PAM. If you want root to
behave the same way even for a correct password you need to arrange for
PAM to do it (eg in the sshd session stack) and not use PermitRootLogin.
This is not an OpenSSH problem as such, the Debian folks would be in a
much better position to help you.
--------------------------------------------------------------------------------
Information forwarded to debian-bugs-dist@lists.debian.org, Matthew Vernon
<matthew@debian.org>:
Bug#248747; Package ssh. (full text, mbox, link).
--------------------------------------------------------------------------------
Acknowledgement sent to Scott Dier <dieman@ringworld.org>:
Extra info received and forwarded to list. Copy sent to Matthew Vernon
<matthew@debian.org>. (full text, mbox, link).
--------------------------------------------------------------------------------
Message #15 received at 248747@bugs.debian.org (full text, mbox, reply):
From: Scott Dier <dieman@ringworld.org>
To: 248747@bugs.debian.org
Subject: ssh/timing issues with invalid/valid users
Date: Wed, 02 Jun 2004 13:11:38 -0500
I would recommend that this be added to a README file as a caveat of
using this service. Provide workarounds (like using nodelay in pam and
restricting root logins via pam instead of ssh to get similar behavour)
in the blurb but I don't see how the package can ensure configurations
like this don't exist.
This bug allows for an enumeration of users, which can be done on many
machines using smtp, http, and other protocols. Therefore I feel we
gain very little in trying to fix this for all users, but it is
important to note for users who want to lock their machine down.
Thanks,
--
Scott Dier <dieman@ringworld.org> KC0OBS http://www.ringworld.org/
--------------------------------------------------------------------------------
Information forwarded to debian-bugs-dist@lists.debian.org, Matthew Vernon
<matthew@debian.org>:
Bug#248747; Package ssh. (full text, mbox, link).
--------------------------------------------------------------------------------
Acknowledgement sent to Colin Watson <cjwatson@debian.org>:
Extra info received and forwarded to list. Copy sent to Matthew Vernon
<matthew@debian.org>. (full text, mbox, link).
--------------------------------------------------------------------------------
Message #20 received at 248747@bugs.debian.org (full text, mbox, reply):
From: Colin Watson <cjwatson@debian.org>
To: Darren Tucker <dtucker@zip.com.au>
Cc: Joey Hess <joeyh@debian.org>, 281595@bugs.debian.org, 248747@bugs.debian.org
Subject: Re: Bug#281595: timing attack allows attacker to determine valid
usernames
Date: Sun, 28 Nov 2004 12:37:11 +0000
On Sat, Nov 27, 2004 at 05:26:50PM +0000, Colin Watson wrote:
> On Sat, Nov 20, 2004 at 01:51:55PM +1100, Darren Tucker wrote:
> > No, it's not fixed in 3.9p1.
> >
> > The problem is not exactly the same, though. In this case, it's partly
> > because the keyboard-interactive code doesn't call the kbdint driver at
> > all in this case. The first attached patch ought to fix that.
> >
> > With that fixed, a change to the PAM code is required because it will
> > complete for a real user with their real password if, eg they are listed
> > in DenyUsers. This will result in the PAM code getting out of sync with
> > the kbdint code, resulting in the authentication hanging. The second
> > patch ought to fix that.
> >
> > I haven't done much testing of either patch, so please let me know how
> > they go.
>
> Thanks for this. I've backported these to 3.8.1p1, which didn't have PAM
> PasswordAuthentication; the patch is attached. It seems to work for me.
> After a bit more testing I'll upload this to unstable.
Here's a further patch on top of your openssh-pam-kbdint-leak.patch
which makes sure that attempted root logins when PermitRootLogin is not
set to yes always have the same delay (Debian bug #248747). It's the
same as you did for PAM PasswordAuthentication.
Cheers,
--
Colin Watson [cjwatson@debian.org]
--------------------------------------------------------------------------------
Severity set to `serious'. Request was from Colin Watson <cjwatson@debian.org>
to control@bugs.debian.org. (full text, mbox, link).
--------------------------------------------------------------------------------
Information forwarded to debian-bugs-dist@lists.debian.org, Matthew Vernon
<matthew@debian.org>:
Bug#248747; Package ssh. (full text, mbox, link).
--------------------------------------------------------------------------------
Acknowledgement sent to Colin Watson <cjwatson@debian.org>:
Extra info received and forwarded to list. Copy sent to Matthew Vernon
<matthew@debian.org>. (full text, mbox, link).
--------------------------------------------------------------------------------
Message #27 received at 248747@bugs.debian.org (full text, mbox, reply):
From: Colin Watson <cjwatson@debian.org>
To: Darren Tucker <dtucker@zip.com.au>
Cc: Joey Hess <joeyh@debian.org>, 281595@bugs.debian.org, 248747@bugs.debian.org
Subject: Re: Bug#281595: timing attack allows attacker to determine valid
usernames
Date: Sun, 28 Nov 2004 12:52:14 +0000
[Message part 1 (text/plain, inline)]
On Sun, Nov 28, 2004 at 12:37:11PM +0000, Colin Watson wrote:
> On Sat, Nov 27, 2004 at 05:26:50PM +0000, Colin Watson wrote:
> > Thanks for this. I've backported these to 3.8.1p1, which didn't have PAM
> > PasswordAuthentication; the patch is attached. It seems to work for me.
> > After a bit more testing I'll upload this to unstable.
>
> Here's a further patch on top of your openssh-pam-kbdint-leak.patch
> which makes sure that attempted root logins when PermitRootLogin is not
> set to yes always have the same delay (Debian bug #248747). It's the
> same as you did for PAM PasswordAuthentication.
... how about I actually attach it?
--
Colin Watson [cjwatson@debian.org]
[openssh-root-delay.patch (text/plain, attachment)]
--------------------------------------------------------------------------------
Reply sent to Colin Watson <cjwatson@debian.org>:
You have taken responsibility. (full text, mbox, link).
--------------------------------------------------------------------------------
Notification sent to Ashar Voultoiz <thoane@altern.org>:
Bug acknowledged by developer. (full text, mbox, link).
--------------------------------------------------------------------------------
Message #32 received at 248747-close@bugs.debian.org (full text, mbox, reply):
From: Colin Watson <cjwatson@debian.org>
To: 248747-close@bugs.debian.org
Subject: Bug#248747: fixed in openssh 1:3.8.1p1-8.sarge.4
Date: Sun, 28 Nov 2004 09:32:17 -0500
Source: openssh
Source-Version: 1:3.8.1p1-8.sarge.4
We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive:
openssh-client-udeb_3.8.1p1-8.sarge.4_powerpc.udeb
to pool/main/o/openssh/openssh-client-udeb_3.8.1p1-8.sarge.4_powerpc.udeb
openssh-server-udeb_3.8.1p1-8.sarge.4_powerpc.udeb
to pool/main/o/openssh/openssh-server-udeb_3.8.1p1-8.sarge.4_powerpc.udeb
openssh_3.8.1p1-8.sarge.4.diff.gz
to pool/main/o/openssh/openssh_3.8.1p1-8.sarge.4.diff.gz
openssh_3.8.1p1-8.sarge.4.dsc
to pool/main/o/openssh/openssh_3.8.1p1-8.sarge.4.dsc
ssh-askpass-gnome_3.8.1p1-8.sarge.4_powerpc.deb
to pool/main/o/openssh/ssh-askpass-gnome_3.8.1p1-8.sarge.4_powerpc.deb
ssh_3.8.1p1-8.sarge.4_powerpc.deb
to pool/main/o/openssh/ssh_3.8.1p1-8.sarge.4_powerpc.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 248747@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 28 Nov 2004 12:37:16 +0000
Source: openssh
Binary: ssh-askpass-gnome openssh-client-udeb ssh openssh-server-udeb
Architecture: source powerpc
Version: 1:3.8.1p1-8.sarge.4
Distribution: unstable
Urgency: high
Maintainer: Matthew Vernon <matthew@debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description:
openssh-client-udeb - Secure shell client for the Debian installer (udeb)
openssh-server-udeb - Secure shell server for the Debian installer (udeb)
ssh - Secure rlogin/rsh/rcp replacement (OpenSSH)
ssh-askpass-gnome - under X, asks user for a passphrase for ssh-add
Closes: 248747 281595
Changes:
openssh (1:3.8.1p1-8.sarge.4) unstable; urgency=high
.
* Fix timing information leak allowing discovery of invalid usernames in
PAM keyboard-interactive authentication (backported from a patch by
Darren Tucker; closes: #281595).
* Make sure that there's a delay in PAM keyboard-interactive
authentication when PermitRootLogin is not set to yes and the correct
root password is entered (closes: #248747).
Files:
8ad7931d85460ac1f9a2971e708d1d65 906 net standard openssh_3.8.1p1-8.sarge.4.dsc
187b8455948c188c97c3bfba92120e51 155885 net standard openssh_3.8.1p1-8.sarge.4.diff.gz
ef7b58119f1f6d1bc0efd10412df2235 737276 net standard ssh_3.8.1p1-8.sarge.4_powerpc.deb
70e71d02d5370a22da119f47b492a4dc 52728 gnome optional ssh-askpass-gnome_3.8.1p1-8.sarge.4_powerpc.deb
cb5fd04403ea907c8be066b620ed906a 151080 debian-installer optional openssh-client-udeb_3.8.1p1-8.sarge.4_powerpc.udeb
9cd11fbcd1bcf3e2c06b78721a727dea 160092 debian-installer optional openssh-server-udeb_3.8.1p1-8.sarge.4_powerpc.udeb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Colin Watson <cjwatson@debian.org> -- Debian developer
iD8DBQFBqcvH9t0zAhD6TNERAv1CAJ9n9yy/P8zhf4kp7WoY99Rfuo9osgCdFneL
0RmN8Hcxkw5sO8WJ0u8AJ40=
=zOT0
-----END PGP SIGNATURE-----
--------------------------------------------------------------------------------
Tags added: fixed-in-experimental Request was from Colin Watson
<cjwatson@debian.org> to control@bugs.debian.org. (full text, mbox, link).
--------------------------------------------------------------------------------
Send a report that this bug log contains spam.
--------------------------------------------------------------------------------
Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified:
Sun Jan 22 10:59:28 2023; Machine Name: buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU Public License
version 2. The current version can be obtained from
https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97
Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.