This service will be undergoing maintenance at 20:00 UTC, 2017-04-03. It is expected to last about 30 minutes
Bug 264781 - SSH allows attacker to divine user password
SSH allows attacker to divine user password
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: openssh (Show other bugs)
4.4
i386 Linux
medium Severity low
: ---
: ---
Assigned To: Tomas Mraz
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-08-29 15:44 EDT by George Toft
Modified: 2007-11-16 20:14 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-08-29 16:21:28 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description George Toft 2007-08-29 15:44:44 EDT
With an expired user account, an attempt to log in remotely with the wrong
password results in a 3 second delay followed by:
Access denied.

If the correct password is entered, there is no delay before 
presenting the message:
Access denied.

An attacker could measure the time between rejections with an attack 
tool and determine the user's password.



Version-Release number of selected component (if applicable):
3.9p1 
8.RHEL4.15 

How reproducible:
Always

Steps to Reproduce:
1. From remote machine, attempt remote login to server with an expired account.
 Alternately, ssh localhost.
2. Enter bogus password - view error after 3 seconds.
3. Enter correct password - view error immediately with no delay.

    
Actual Results:  no delay presented when correct password is entered

Expected Results:  3 second delay before presenting "Access denied."


Additional info:
May be related to bug 141642 and 146882


Supporting log entries:
/var/log/messages
Aug 29 12:02:11 dbabb3 sshd(pam_unix)[3005]: account gtoft has expired (failed
to change password)

/var/log/secure
Aug 29 19:20:57 dbabb3 sshd[4677]: Failed password for gtoft from
::ffff:192.168.114.1 port 3440 ssh2
Aug 29 12:20:57 dbabb3 sshd[4597]: Failed password for gtoft from
::ffff:192.168.114.1 port 3440 ssh2
Aug 29 19:20:59 dbabb3 sshd[4677]: Failed password for gtoft from
::ffff:192.168.114.1 port 3440 ssh2
Aug 29 12:20:59 dbabb3 sshd[4597]: Failed password for gtoft from
::ffff:192.168.114.1 port 3440 ssh2
Note:
1.  Timing in above shows less than 3 seconds elapse between password entries
2.  There are 2 different times for the same event, 7 hours apart (system is in
GMT-7 America/Phoenix timezone)

User entry from /etc/shadow (password hash mangled):
gtoft:$1$jvmsof8HIN60h28HX$1/9YkyzdSxbe.:13615:7:90:28:7::
Comment 1 Tomas Mraz 2007-08-29 16:21:28 EDT
I don't think this problem is serious enough to warrant invasive changes which
would be necessary to fix this. The password should be good enough so the
attacker cannot brute force it regardless whether the account is expired or not.

Note that the password authentication and account/password expiration checks are
done in different calls to PAM library and it wouldn't be easy to merge them
into one.

Note You need to log in before you can comment on or make changes to this bug.