Re: SSH bruteforce on its way...
Valdis.Kletnieks_at_vt.edu
Date: 10/26/05
- Previous message: Javier Fernandez-Sanguino: "Re: SSH bruteforce on its way..."
- In reply to: Russell Fulton: "Re: SSH bruteforce on its way..."
- Next in thread: Kurt Seifried: "Re: SSH bruteforce on its way..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Russell Fulton <r.fulton@auckland.ac.nz> Date: Tue, 25 Oct 2005 19:08:32 -0400
On Tue, 25 Oct 2005 09:17:07 +1300, Russell Fulton said:
>
> Would you please provide some supporting references. I can not find any
> evidence of existing timing attacks against openssh. In fact Openssh
> goes to some trouble to defeat such attacks.
Russell, your google-foo is obviously weak. Google'ed for '+ssh +timing +attack',
and the first few hits are against the keystroke-timing issue, and about number 6 is:
http://lists.debian.org/debian-ssh/2004/11/msg00053.html
which says:
CAN-2003-0190 describes a flaw in ssh's password prompt timing which
makes it easy for an attacker to determine if a username exists on a
machine. I've checked and testing and unstable's versions of ssh are
vulnerable. Details and some fixes are in this message:
http://marc.theaimsgroup.com/?l=bugtraq&m=3D105172058404810&w=2
References enough? ;)
- application/pgp-signature attachment: stored
- Previous message: Javier Fernandez-Sanguino: "Re: SSH bruteforce on its way..."
- In reply to: Russell Fulton: "Re: SSH bruteforce on its way..."
- Next in thread: Kurt Seifried: "Re: SSH bruteforce on its way..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
