Red Hat Bugzilla – Bug 57859
password error delay reveals existing/non-existing accounts
Last modified: 2007-04-18 12:38:50 EDT
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.5) Gecko/20011014 Description of problem: When you login by ssh to a host and the password fails, there's a small delay before getting the password prompt again, which prevents bruteforce attacks. But if you try to login to a non-existent username, the password prompt returns immediately. This allows remote attackers to guess usernames. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. ssh some-nonexistent-username@hostname 2. enter some bogus pass 3. Actual Results: you get the password prompt again immediately Expected Results: there should be a delay before getting the prompt Additional info: tested on Red Hat 7.2 with openssh-3.0.2p1
> Expected Results: there should be a delay before getting the prompt Why slow down valid users? If anything, there should be no delay for invalid accounts, but this facilitates password guessing.
In current Fedora Core (openssh-3.9p1) the non existing accounts give the same delay as mistaken passwords on existing accounts.