On Wed, Jul 10, 2013 at 03:38:59PM +0200, Curesec Research Team wrote: > By testing several OpenSSH installations we figured there is a delay of > time when it comes to cracking users (not) existing on a system. A > normal Brute-force-Attack tests for the correct user and password > combination, usually without knowledge if the user on the system exists. FYI, the openssh guys have known this for quite a while and they don't treat it as an issue worth fixing. They don't want to introduce extra anti-timing code just to prevent user enumeration from working. You can also see a measurable difference when you try logging in with random public RSA keys – around 100% difference over localhost, over the internet it's much lower, but with a few attempts, you can still get good data. Well, for systems that have password auth enabled, your approach seems a lot more reliable. By the way: If you can hog the CPU for seconds by sending a few kilobytes of data, isn't that a DoS issue?
Attachment:
signature.asc
Description: Digital signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/