Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 57859 - password error delay reveals existing/non-existing accounts
password error delay reveals existing/non-existing accounts
Status: CLOSED CURRENTRELEASE
Product: Red Hat Linux
Classification: Retired
Component: openssh (Show other bugs)
7.2
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Mraz
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2001-12-28 14:06 EST by Florin Andrei
Modified: 2007-04-18 12:38 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-02-03 04:57:53 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Florin Andrei 2001-12-28 14:06:08 EST 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.5) Gecko/20011014

Description of problem:
When you login by ssh to a host and the password fails, there's a small
delay before getting the password prompt again, which prevents bruteforce
attacks.
But if you try to login to a non-existent username, the password prompt
returns immediately.
This allows remote attackers to guess usernames.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. ssh some-nonexistent-username@hostname
2. enter some bogus pass
3.
	

Actual Results:  you get the password prompt again immediately

Expected Results:  there should be a delay before getting the prompt

Additional info:

tested on Red Hat 7.2 with openssh-3.0.2p1
Comment 1 Damien Miller 2001-12-30 02:23:47 EST 
> Expected Results:  there should be a delay before getting the prompt

Why slow down valid users? 

If anything, there should be no delay for invalid accounts, but this facilitates
password guessing.
Comment 2 Tomas Mraz 2005-02-03 04:57:53 EST 
In current Fedora Core (openssh-3.9p1) the non existing accounts give
the same delay as mistaken passwords on existing accounts.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.