lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 10 Oct 2006 00:41:25 +0200 From: Gianluca Varisco <giangy@...htemple.org> To: bugtraq@...urityfocus.com Cc: Marco Ivaldi <raptor@...eadbeef.info> Subject: Re: yet another OpenSSH timing leak? Marco Ivaldi wrote: > It needs expect, and target ssh hostkey must be already added. I'd be > very interested in knowing the results of tests performed on other > distros and configurations. > Hi Marco, nice to meet you :-). I tried to do this test over my 10 Mbps lan and this is the result: giangy@...r:~/dev$ ./sshtime calipso users.txt a@...ipso real 9.55 root@...ipso real 9.33 <- valid user with shell wheel@...ipso real 10.44 giangy@...ipso real 9.49 cdrom@...ipso real 9.68 burning@...ipso real 9.47 mysql@...ipso real 9.35 operator@...ipso real 9.59 <- valid user with shell test@...ipso real 9.51 <- valid user with shell Another test: a@...ipso real 9.37 root@...ipso real 9.90 <- valid user with shell wheel@...ipso real 10.66 giangy@...ipso real 9.41 cdrom@...ipso real 9.30 burning@...ipso real 10.30 mysql@...ipso real 9.47 operator@...ipso real 10.21 <- valid user with shell test@...ipso real 10.98 <- valid user with shell daemon@...ipso real 7.14 abcd@...ipso real 7.20 "root", "operator" and "test" are valid users with a valid shell enabled. I made this test on Slackware 11.0 (fresh installation) with OpenSSH_4.4p1. I used the default sshd_config (see http://slackware.osuosl.org/slackware-current/source/n/openssh/ for more informations about the package). So, I don't received any timing leak in this session. I'll try as possible other distributions and configurations. However, good work Marco :-). Best Regards, Gianluca Varisco
Powered by blists - more mailing lists