[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: AIX password enumeration possible
- To: Scott J <mrbinary@yahoo.com>
- Subject: Re: AIX password enumeration possible
- From: Sven Specker <specker@rz.uni-frankfurt.de>
- Date: Thu, 12 Feb 2004 11:01:10 +0100
Tested with AIX 5.1 ML05, Commercial SSH v3.2.2
Known account on yyyy set to rlogin=false, ssh allows only 1 connection attempt
before error.
Case 1: Incorrect Password given.
user@xxxx:> ssh yyyy
user's password:
warning: Authentication failed.
Disconnected; no more authentication methods available (No further
authentication methods available.).
Case 2: Correct Password given.
user@xxxx:> ssh yyyy
user's password:
warning: Authentication failed.
Disconnected; no more authentication methods available (No further
authentication methods available.).
It seems as if the commercial ssh behaves differently and uses it's own
messages. All r-services and telnet are no longer existant on our systems, so
it appears to me that the easiest solution would be to use the commercial ssh
and dump the r-services. That's seems the best way for ppl who are eligible to
use the source release of the commercial ssh.
Regards,
Sven Specker
--
__________________________________________________________________
*** Sven Specker -- University of Frankfurt Computing Center ***
************ UNIX System Administration (NIM/Security) ***********
***** specker@rz.uni-frankfurt.de [Phone (+49)-69-798-25188] *****
******************************************************************
__________________________________________________________________
Johann Wolfgang Goethe Universitaet
- Hochschulrechenzentrum -
Senckenberganlage 31-33
D-60054 Frankfurt/Main
__________________________________________________________________
______________ TeX-users do it in {groups}________________________