Red Hat Bugzilla – Bug 57859
password error delay reveals existing/non-existing accounts
Last modified: 2007-04-18 12:38:50 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.5) Gecko/20011014
Description of problem:
When you login by ssh to a host and the password fails, there's a small
delay before getting the password prompt again, which prevents bruteforce
But if you try to login to a non-existent username, the password prompt
This allows remote attackers to guess usernames.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. ssh some-nonexistent-username@hostname
2. enter some bogus pass
Actual Results: you get the password prompt again immediately
Expected Results: there should be a delay before getting the prompt
tested on Red Hat 7.2 with openssh-3.0.2p1
> Expected Results: there should be a delay before getting the prompt
Why slow down valid users?
If anything, there should be no delay for invalid accounts, but this facilitates
In current Fedora Core (openssh-3.9p1) the non existing accounts give
the same delay as mistaken passwords on existing accounts.