Bug 264781
Summary: | SSH allows attacker to divine user password | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 4 | Reporter: | George Toft <george> |
Component: | openssh | Assignee: | Tomas Mraz <tmraz> |
Status: | CLOSED WONTFIX | QA Contact: | Brian Brock <bbrock> |
Severity: | low | Docs Contact: | |
Priority: | medium | ||
Version: | 4.4 | ||
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2007-08-29 20:21:28 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
George Toft
2007-08-29 19:44:44 UTC
I don't think this problem is serious enough to warrant invasive changes which would be necessary to fix this. The password should be good enough so the attacker cannot brute force it regardless whether the account is expired or not. Note that the password authentication and account/password expiration checks are done in different calls to PAM library and it wouldn't be easy to merge them into one. |