Package: systemd-homed
Version: 257.8-1~deb13u2
Severity: grave
Justification: user security hole
Dear Maintainer,
I installed the package systemd-homed and then created a user using the command
`homectl create testuser`.
It is possible to probe available users by measuring time of failed SSH logins.
For unknown user, login attempts takes always below 5 seconds:
```
> time -p sshpass -p 'wrong_password' ssh someuser@IP
Permission denied, please try again.
real 1.63
user 0.00
sys 0.01
For known user, login attempts take always over 10 seconds:
```
> time -p sshpass -p 'wrong_password' ssh testuser@IP
Permission denied, please try again.
real 14.64
user 0.01
sys 0.00
```
Expected that login times are in similar range for both known and unknown
users.
Best regards,
Veiko Aasa
-- System Information:
Debian Release: 13.0
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.12.48+deb13-amd64 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not
set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages systemd-homed depends on:
ii init-system-helpers 1.68
ii libblkid1 2.41-5
ii libc6 2.41-12
ii libcap2 1:2.75-10+b1
ii libfdisk1 2.41-5
ii libpam-runtime 1.7.0-5
ii libpam0g 1.7.0-5
ii libssl3t64 3.5.1-1
ii libsystemd-shared 257.8-1~deb13u2
ii polkitd 126-2
ii systemd 257.8-1~deb13u2
ii systemd-userdbd 257.8-1~deb13u2
systemd-homed recommends no packages.
Versions of packages systemd-homed suggests:
ii libcryptsetup12 2:2.7.5-2
ii libidn2-0 2.3.8-2
ii libp11-kit0 0.25.5-3
pn libtss2-rc0t64 <none>
-- no debconf information
signature.asc
Description: This is a digitally signed message part.
