Package: ssh Version: 1:3.8p1-3 Severity: normal
Hello, I found this bug and googled for it to get more informations, The following link is a security advisory mentionning it:: http://lab.mediaservice.net/advisory/2003-01-openssh.txt Basicly, if user root is not authorized to connect to ssh, if you enter the correct password you will have no delay before the "password:" prompt is shown again. An attacker could then bruteforce the ssh login and just time the server answer, if the answer is fastly given back, the password tried is the correct one. Many thanks for maintning this package btw, it works well :o) -- System Information: Debian Release: testing/unstable APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Kernel: Linux 2.4.25-1-k7 Locale: LANG=C, LC_CTYPE=C Versions of packages ssh depends on: ii adduser 3.52 Add and remove users and groups ii debconf 1.4.22 Debian configuration management sy ii dpkg 1.10.21 Package maintenance system for Deb ii libc6 2.3.2.ds1-12 GNU C Library: Shared libraries an ii libpam-modules 0.76-19 Pluggable Authentication Modules f ii libpam-runtime 0.76-19 Runtime support for the PAM librar ii libpam0g 0.76-19 Pluggable Authentication Modules l ii libssl0.9.7 0.9.7d-1 SSL shared libraries ii libwrap0 7.6.dbs-3 Wietse Venema's TCP wrappers libra ii zlib1g 1:1.2.1-5 compression library - runtime -- debconf information: * ssh/privsep_tell: ssh/insecure_rshd: ssh/privsep_ask: true ssh/ssh2_keys_merged: * ssh/user_environment_tell: * ssh/forward_warning: ssh/insecure_telnetd: ssh/new_config: true * ssh/use_old_init_script: true * ssh/protocol2_only: true ssh/encrypted_host_key_but_no_keygen: * ssh/run_sshd: true * ssh/SUID_client: true
