![[LWN Logo]](/images/lwn.banner.gif)
Date: Wed, 9 Jun 1999 15:51:54 +0200 From: altellez@IP6SEGURIDAD.COM Subject: ssh advirsory To: BUGTRAQ@NETSPACE.ORG Aleph ... Sorry if it is an old bug ... i have tested a bug in ssh-2.0.12. any remote attacker can guess real account in the machine Details when a ssh client connects to the daemon it has a number ( default three ) of attempts to guess the correct password before disconnecting if you try to connect with a correct login, but you only have once if you try to connect with a no correct login. EXAMPLE alfonso is not user ( login ) in 192.168.0.1 $ssh 192.168.0.1 -l alfonso alfonso's password: <hit ENTER key> Disconnected; authentication error (Authentication method disabled.). $ altellez is user ( login ) in 192.168.0.1 $ssh 192.168.0.1 -l altellez altellez's password: <hit ENTER key> altellez's password: Now the remote attacker known that altellez is a true login in 192.168.0.1 QUICK FIX Edit the file sshd2_config (usually at /etc/ssh2), set the value of "PasswordGuesses" to 1. I only has tested it with ssh-2.0.12 -- Saludos. =========================================================== Alfonso Lazaro Tellez altellez@ip6seguridad.com Analista de seguridad IP6Seguridad http://www.ip6seguridad.com Tfno: +34 91-3430245 C\Alberto Alcocer 5, 1 D Fax: +34 91-3430294 Madrid ( SPAIN ) ===========================================================