Prev-20 Home Next-20 4 msg apt-get upgrade rückgängig machen 1 msg Re: [SECURITY] [DSA 1050-1] New ClamAV packages... 2 msg AW: [SECURITY] [DSA 1048-1] New Asterisk packag... 1 msg Intelligent Investor Report 1 msg RE: RuAmerica Job 4 msg Re: [SECURITY] [DSA 1041-1] New abc2ps packages... UsePAM in /etc/ssh/sshd_config and timing attacks \ Alexandros Papadopoulos (24 Apr 2006) 9 msg Logauswertung 1 msg [Fwd: [Pkg-dia-team] Bug#364293: dia-common_0.9... 7 msg Security status of mozilla-* packages 2 msg Re: Re: postfix in qmail out proftpd in pureftpd 10 msg Debian Kernel security status? 4 msg Pam module for hylafax 1 msg RE: [SECURITY] [DSA 1033-1] New horde3 packages... 5 msg PHP4 vulnerabilities 1 msg debsums online database 3 msg IDS for a non-well-known protocol? 1 msg Re: [SECURITY] [DSA 1018-2] New Linux kernel 2.... 1 msg Re: [SECURITY] [DSA 1027-1] New mailman package... 4 msg Re: [SECURITY] [DSA 1024-1] New clamav packages... Prev-20 Home Next-20

Prev-Msg Prev-Thread Debian-security Apr-2006 Next-Thread Next-Msg Subject: UsePAM in /etc/ssh/sshd_config and timing attacks Group: Debian-security From: Alexandros Papadopoulos Date: 24 Apr 2006 Dear all People have been complaining for too long that timings attacks are possible because of the way OpenSSH responds to keyboard-interactive authentication. With the variance in the delay of response, it makes it obvious whether the username it tries to authenticate indeed exists on the remote machine or not. A few days ago De Raadt sent an email to BUQTRAQ blaming this information leakage to PAM. So, one would expect that the directive UsePAM in the sshd configuration file would help one get around this issue. But although I have "UsePam no", I still see the same behavior (variance in response time). Can this be resolved somehow? Cheers -A -- To UNSUBSCRIBE, email to debian-security-REQUEST with a subject of "unsubscribe". Trouble? Contact listmaster Prev-Msg Prev-Thread Debian-security Apr-2006 Next-Thread Next-Msg

© 2004-2008 readlist.com