Bug 141642
| Summary: | SSH allows attacker to divine root password | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 3 | Reporter: | George Toft <george> |
| Component: | openssh | Assignee: | Tomas Mraz <tmraz> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | medium | ||
| Version: | 3.0 | CC: | bressers, deisenst, mjc |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Whiteboard: | impact=low,public=20041130 | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2005-05-18 13:48:34 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
This issue affects RHEL3 and RHEL2.1. Back-envelope estimates seem to show that with a 3 second delay between trials a dictionary attack of the sort desribed will get to perform, in optimal conditions, something between 2500 and 3000 probes per 24 hours. If an attack with such rate against any password, not mentioning the one for root, has realistic chances to succeed then the system in question has much more serious problems to worry about. Not that this is not a hole but just to keep things in a proportion. A fix for this minor issue will be included in RHSA-2005:106 scheduled for inclusion in Update 5. An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2005-106.html |
From Bugzilla Helper: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322) Description of problem: With openssh configured to not allow remote root login (file: /etc/ssh/sshd_config, PermitRootLogin no), an attempt to log in remotely as root with the wrong password results in a 3 second delay followed by: Permission denied, please try again. If the correct password is entered, there is no delay before presenting the message: Permission denied, please try again. An attacker could measure the time between rejections with an attack tool and determine the root password. Version-Release number of selected component (if applicable): 3.1p1-14 How reproducible: Always Steps to Reproduce: 1. Set "PermitRootLogin no" in /etc/ssh/sshd_config 2. Restart sshd: service sshd restart 3. From remote machine, attempt remote login to server. Alternately, ssh localhost. 4. Enter bogus password - view error after 3 seconds. 5. Enter correct password - view error immediately with no delay. Actual Results: no delay presented when correct password is entered Expected Results: 3 second delay before presenting "Permission denied, please try again." Additional info: