[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] OpenSSH - System Account Enumeration if S/Key is used

To: "Stanislaw Klekot" <dozzie@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] OpenSSH - System Account Enumeration if S/Key is used
From: "Brian Eaton" <eaton.lists@xxxxxxxxx>
Date: Tue, 24 Apr 2007 10:06:58 -0400

On 4/24/07, Stanislaw Klekot <dozzie@xxxxxxxxxxxxxxxxxxxxxx> wrote:
> Look closer to challenge message. There's salt and key number included.
> Consider now three logins: first isn't valid account on the target
> system, second is valid but without OTP set, and third with OTP set.
> First two are indistinguishable for attacker as in these cases system
> presents random challenge, but for third account system will present the
> same challenge over and over again.
>
> How about that?

Perhaps rather than presenting a random challenge, the challenge could
be based on a hash of the account name used and a per-system salt?

Regards,
Brian

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] OpenSSH - System Account Enumeration if S/Key is used
  - From: rembrandt
- Re: [Full-disclosure] OpenSSH - System Account Enumeration if S/Key is used
  - From: Stanislaw Klekot

Prev by Date: [Full-disclosure] rPSA-2007-0081-1 postgresql postgresql-server
Next by Date: [Full-disclosure] [ GLSA 200704-21 ] ClamAV: Multiple vulnerabilities
Previous by thread: Re: [Full-disclosure] OpenSSH - System Account Enumeration if S/Key is used
Next by thread: Re: [Full-disclosure] OpenSSH - System Account Enumeration if S/Key is used
Index(es):
- Date
- Thread