Aleph ... Sorry if it is an old bug ... i have tested a bug in ssh-2.0.12. any remote attacker can guess real account in the machine Details when a ssh client connects to the daemon it has a number ( default three ) of attempts to guess the correct password before disconnecting if you try to connect with a correct login, but you only have once if you try to connect with a no correct login. EXAMPLE alfonso is not user ( login ) in 192.168.0.1 $ssh 192.168.0.1 -l alfonso alfonso's password: <hit ENTER key> Disconnected; authentication error (Authentication method disabled.). $ altellez is user ( login ) in 192.168.0.1 $ssh 192.168.0.1 -l altellez altellez's password: <hit ENTER key> altellez's password: Now the remote attacker known that altellez is a true login in 192.168.0.1 QUICK FIX Edit the file sshd2_config (usually at /etc/ssh2), set the value of "PasswordGuesses" to 1. I only has tested it with ssh-2.0.12 -- Saludos. =========================================================== Alfonso Lazaro Tellez altellezat_private Analista de seguridad IP6Seguridad http://www.ip6seguridad.com Tfno: +34 91-3430245 C\Alberto Alcocer 5, 1 D Fax: +34 91-3430294 Madrid ( SPAIN ) ===========================================================
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:48:33 PDT