Date: Wed, 9 Jun 1999 15:51:54 +0200
From: altellez@IP6SEGURIDAD.COM
To: BUGTRAQ@netspace.org
Subject: ssh advirsory
Aleph ... Sorry if it is an old bug ...
i have tested a bug in ssh-2.0.12.
any remote attacker can guess real account in the machine
Details
when a ssh client connects to the daemon it has a number ( default
three ) of attempts to guess the correct password before
disconnecting if you try to connect with a correct login, but
you only have once if you try to connect with a no correct login.
EXAMPLE
alfonso is not user ( login ) in 192.168.0.1
$ssh 192.168.0.1 -l alfonso
alfonso's password: <hit ENTER key>
Disconnected; authentication error (Authentication method disabled.).
$
altellez is user ( login ) in 192.168.0.1
$ssh 192.168.0.1 -l altellez
altellez's password: <hit ENTER key>
altellez's password:
Now the remote attacker known that altellez is a true login in
192.168.0.1
QUICK FIX
Edit the file sshd2_config (usually at /etc/ssh2), set the value
of "PasswordGuesses" to 1.
I only has tested it with ssh-2.0.12
--
Saludos.
===========================================================
Alfonso Lazaro Tellez altellez@ip6seguridad.com
Analista de seguridad
IP6Seguridad http://www.ip6seguridad.com
Tfno: +34 91-3430245 C\Alberto Alcocer 5, 1 D
Fax: +34 91-3430294 Madrid ( SPAIN )
===========================================================
-------------------------------------------------------------------------------
Date: Wed, 9 Jun 1999 15:23:23 -0500
From: Jeff Long <long@KESTREL.CC.UKANS.EDU>
To: BUGTRAQ@netspace.org
Subject: Re: ssh advirsory
altellez@IP6SEGURIDAD.COM wrote:
>
> Aleph ... Sorry if it is an old bug ...
>
>
> i have tested a bug in ssh-2.0.12.
>
> any remote attacker can guess real account in the machine
>
> Details
>
> when a ssh client connects to the daemon it has a number ( default
> three ) of attempts to guess the correct password before
> disconnecting if you try to connect with a correct login, but
> you only have once if you try to connect with a no correct login.
>
> EXAMPLE
>
> alfonso is not user ( login ) in 192.168.0.1
>
>
> $ssh 192.168.0.1 -l alfonso
> alfonso's password: <hit ENTER key>
>
> Disconnected; authentication error (Authentication method disabled.).
> $
Interesting, in my installation of 2.0.13 I don't even get one chance to
enter a password when I use a login with no account on the machine:
long@somehost[15:18:44]~ $ slogin -l jkashrj somehost
Disconnected; authentication error (No further authentication methods
available.).
long@somehost[15:19:07]~ $
Perhaps a misconfiguration on my part but I'd say that is bad behavior.
Jeff Long
-------------------------------------------------------------------------------
Date: Wed, 9 Jun 1999 16:19:56 -0300
From: cseg@WIRETECH.COM.BR
To: BUGTRAQ@netspace.org
Subject: Re: ssh advirsory
On Wed, 9 Jun 1999 altellez@IP6SEGURIDAD.COM wrote:
> Details
>
> when a ssh client connects to the daemon it has a number ( default
> three ) of attempts to guess the correct password before
> disconnecting if you try to connect with a correct login, but
> you only have once if you try to connect with a no correct login.
>
> EXAMPLE
>
> alfonso is not user ( login ) in 192.168.0.1
>
>
> $ssh 192.168.0.1 -l alfonso
> alfonso's password: <hit ENTER key>
>
> Disconnected; authentication error (Authentication method disabled.).
> $
>
> altellez is user ( login ) in 192.168.0.1
>
> $ssh 192.168.0.1 -l altellez
> altellez's password: <hit ENTER key>
> altellez's password:
>
> Now the remote attacker known that altellez is a true login in
> 192.168.0.1
>
> QUICK FIX
>
> Edit the file sshd2_config (usually at /etc/ssh2), set the value
> of "PasswordGuesses" to 1.
>
> I only has tested it with ssh-2.0.12
I just tried that error with ssh-2.0.13. It was more strange..
--- [ unexistant user `unknown' ]
local:~> ssh -lunknown 192.168.0.1
Disconnected; authentication error (No further authentication methods available.).
local:~>
--- [ existant user `me' ]
local:~> ssh -lme 192.168.0.1
me's password: [<ENTER>]
Disconnected; authentication error (Authentication method disabled.).
local:~>
--
Delete yurself, you got no chance to win.