Date: Wed, 9 Jun 1999 15:51:54 +0200 From: altellez@IP6SEGURIDAD.COM To: BUGTRAQ@netspace.org Subject: ssh advirsory Aleph ... Sorry if it is an old bug ... i have tested a bug in ssh-2.0.12. any remote attacker can guess real account in the machine Details when a ssh client connects to the daemon it has a number ( default three ) of attempts to guess the correct password before disconnecting if you try to connect with a correct login, but you only have once if you try to connect with a no correct login. EXAMPLE alfonso is not user ( login ) in 192.168.0.1 $ssh 192.168.0.1 -l alfonso alfonso's password: Disconnected; authentication error (Authentication method disabled.). $ altellez is user ( login ) in 192.168.0.1 $ssh 192.168.0.1 -l altellez altellez's password: altellez's password: Now the remote attacker known that altellez is a true login in 192.168.0.1 QUICK FIX Edit the file sshd2_config (usually at /etc/ssh2), set the value of "PasswordGuesses" to 1. I only has tested it with ssh-2.0.12 -- Saludos. =========================================================== Alfonso Lazaro Tellez altellez@ip6seguridad.com Analista de seguridad IP6Seguridad http://www.ip6seguridad.com Tfno: +34 91-3430245 C\Alberto Alcocer 5, 1 D Fax: +34 91-3430294 Madrid ( SPAIN ) =========================================================== ------------------------------------------------------------------------------- Date: Wed, 9 Jun 1999 15:23:23 -0500 From: Jeff Long To: BUGTRAQ@netspace.org Subject: Re: ssh advirsory altellez@IP6SEGURIDAD.COM wrote: > > Aleph ... Sorry if it is an old bug ... > > > i have tested a bug in ssh-2.0.12. > > any remote attacker can guess real account in the machine > > Details > > when a ssh client connects to the daemon it has a number ( default > three ) of attempts to guess the correct password before > disconnecting if you try to connect with a correct login, but > you only have once if you try to connect with a no correct login. > > EXAMPLE > > alfonso is not user ( login ) in 192.168.0.1 > > > $ssh 192.168.0.1 -l alfonso > alfonso's password: > > Disconnected; authentication error (Authentication method disabled.). > $ Interesting, in my installation of 2.0.13 I don't even get one chance to enter a password when I use a login with no account on the machine: long@somehost[15:18:44]~ $ slogin -l jkashrj somehost Disconnected; authentication error (No further authentication methods available.). long@somehost[15:19:07]~ $ Perhaps a misconfiguration on my part but I'd say that is bad behavior. Jeff Long ------------------------------------------------------------------------------- Date: Wed, 9 Jun 1999 16:19:56 -0300 From: cseg@WIRETECH.COM.BR To: BUGTRAQ@netspace.org Subject: Re: ssh advirsory On Wed, 9 Jun 1999 altellez@IP6SEGURIDAD.COM wrote: > Details > > when a ssh client connects to the daemon it has a number ( default > three ) of attempts to guess the correct password before > disconnecting if you try to connect with a correct login, but > you only have once if you try to connect with a no correct login. > > EXAMPLE > > alfonso is not user ( login ) in 192.168.0.1 > > > $ssh 192.168.0.1 -l alfonso > alfonso's password: > > Disconnected; authentication error (Authentication method disabled.). > $ > > altellez is user ( login ) in 192.168.0.1 > > $ssh 192.168.0.1 -l altellez > altellez's password: > altellez's password: > > Now the remote attacker known that altellez is a true login in > 192.168.0.1 > > QUICK FIX > > Edit the file sshd2_config (usually at /etc/ssh2), set the value > of "PasswordGuesses" to 1. > > I only has tested it with ssh-2.0.12 I just tried that error with ssh-2.0.13. It was more strange.. --- [ unexistant user `unknown' ] local:~> ssh -lunknown 192.168.0.1 Disconnected; authentication error (No further authentication methods available.). local:~> --- [ existant user `me' ] local:~> ssh -lme 192.168.0.1 me's password: [] Disconnected; authentication error (Authentication method disabled.). local:~> -- Delete yurself, you got no chance to win.