Russell,
I know that someone has already provided you with some info, but here
is some more:
http://www.milw0rm.com/id.php?id=26
Thats the gossh.sh exploit. while it is not that reliable, it is a PoC.
http://www.securityfocus.com/bid/11781/discuss
Thats a PAM weakness (another timing attack) that enabled remote
attackers to discover valid usernames.
http://www.securityfocus.com/bid/7467
Thats another PAM weakness. Its the securityfocus BID for the gossh.sh exploit.
http://www.securityfocus.com/bid/7482
Thats a timing attack that may allow a remote attacker to guess the
root/administrative password.
A simple google search like the one posted previously will turn up more info.
peace,
--Justin
On 10/24/05, Russell Fulton <r.fulton@auckland.ac.nz> wrote:
Justin wrote:
Jouser,
Nah, there were some exploits a while back that took advanteage in
some timing flaws in the SSHd that let attackers determin valid
usernames.
Would you please provide some supporting references. I can not find any
evidence of existing timing attacks against openssh. In fact Openssh
goes to some trouble to defeat such attacks.
While on this thread, one effective counter measure against brute force
password attacks is to use decent passwords which everyone should be
doing anyway. We have lost about 3 systems here to ssh brute force
attacks and in all cases the systems were in serious breach of our
policies (which are not particularly draconian).
In one case I did feel a bit sorry for the victims, they had installed a
third party package that created an account with an insecure password
and they never noticed. A good case for simple monitoring script like
the one that is run nightly on OBSD system that warns you about changes
in critical files.
Russell.
peace,
--Justin
On 21 Oct 2005 18:05:27 -0000, jouser@gmail.com <jouser@gmail.com> wrote:
I didn't think it was possible to determine valid usernames by themselves?
You either have a valid username AND password or not.
