back to article OpenSSH has user enumeration bug

A bug in OpenSSH allows an attacker to check whether user names are valid on a 'net-facing server - because the Blowfish algorithm runs faster than SHA256/SHA512. The bug hasn't been fixed yet, but in his post to Full Disclosure, Verint developer Eddie Harari says OpenSSH developer Darren Tucker knows about the issue and is …

  1. Mike Pellatt


    Run a net-facing ssh server with (only) password authentication ?? Wow, just wow.

  2. Anonymous Coward
    Anonymous Coward

    public / private key authentication

    If your ssh server is configured to accept ONLY public / private key authentication then does this mitigate this vulnerability?

    1. pitrh

      Re: public / private key authentication

      I don't think you can keep the pond scum from trying, as in I think sshd will let them try and keep failing.

      1. Anonymous C0ward

        Re: public / private key authentication

        Mine is set up to use either private key, or password + Google Authenticator.

  3. Aodhhan


    Not a huge issue in my book. If you're exposing port 22 or any other comm port externally... you have bigger issues to worry about, and by now... most host based firewalls should only accept comms from other internal systems; hopefully, along with a log management system which sends out some sort of notification after 10 consecutive login fails. Yes, I know this can be irritating when decommissioning servers.

    1. Anonymous Coward
      Thumb Up

      Re: Hopefully...

      Not a huge issue in my book.

      I agree. If you have Internet-facing SSH access with username/password authentication then you will see dozens and dozens of failed login attempts every day trying root, admin, guest, mysql, ubnt, etc so if you have any sense you will be running something to throttle those back, e.g. Fail2ban and a big blocklist, anyway.

  4. Stevie


    Ten kilobyte password?

    How about just using a simple "more than X characters and you are obviously a fucking Chechnyan Phishbot" rule to bounce the tactic? Pick X to be reasonable for your users and away you go?

    Gordon Bennet.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022