altellezat_private wrote: > > Aleph ... Sorry if it is an old bug ... > > > i have tested a bug in ssh-2.0.12. > > any remote attacker can guess real account in the machine > > Details > > when a ssh client connects to the daemon it has a number ( default > three ) of attempts to guess the correct password before > disconnecting if you try to connect with a correct login, but > you only have once if you try to connect with a no correct login. > > EXAMPLE > > alfonso is not user ( login ) in 192.168.0.1 > > > $ssh 192.168.0.1 -l alfonso > alfonso's password: <hit ENTER key> > > Disconnected; authentication error (Authentication method disabled.). > $ Interesting, in my installation of 2.0.13 I don't even get one chance to enter a password when I use a login with no account on the machine: long@somehost[15:18:44]~ $ slogin -l jkashrj somehost Disconnected; authentication error (No further authentication methods available.). long@somehost[15:19:07]~ $ Perhaps a misconfiguration on my part but I'd say that is bad behavior. Jeff Long
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:48:42 PDT