Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <alpine.BSO.2.21.1808261758080.76507@haru.mindrot.org>
Date: Sun, 26 Aug 2018 18:04:50 +1000 (AEST)
From: Damien Miller <djm@...drot.org>
To: oss-security@...ts.openwall.com
Subject: Re: About OpenSSH "user enumeration" /
 CVE-2018-15473

On Sat, 25 Aug 2018, Solar Designer wrote:

> This could mean an extra getpwnam(3) call, which is a slightly greater
> timing leak than what's present in one call. That may be further
> mitigated by always doing two calls. Of course, this won't be anywhere
> near timing-safe anyway.
>
> Now, it can be tricky to pick a specific fallback username in
> OpenSSH-portable that we'd be OK with all non-existent usernames to
> behave similarly to. "root" may somewhat likely have unusual password
> hash (like it historically did on OpenBSD); "nobody" likely has its
> password locked (but maybe that's OK - it is in fact common for SSH
> users to have only public keys setup, and no passwords). Maybe there
> should be a way to override this dummy username in sshd_config.

That sounds like a fair amount of complexity in return for scant
benefit: at best you dodge a few (IMO uninteresting) bugs, but now you
are guaranteed to have all your authz code exposed to a the attacker.

Moreover, using a "real fake" account gives a timing / system behaviour
baseline too. It might be harder to discern, but techniques for making
remote observations of subtle system side-channels are scarily well-
developed, and I'm sure that it would be pretty easy to spot if people
applied them.

-d

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.