Hi Jacob, all, On Tue, Jul 02, 2024 at 09:01:48PM -0500, Jacob Bachmeyer wrote: > A thought occurred to me late last night: this exploit required the use of > a very long fake user name (~128KB).
A side note, just in case: only our exploit against Ubuntu 6.06.1 uses a very long user name; our exploits against Debian 3.0r6 and Debian 12.5.0 simply use "nobody" (but it could be any existing user name). > If there currently really is no limit at all, outrageously long fake > usernames (limited only by bandwidth and LoginGraceTime?) There are various already-existing limits along the way, but the first one is PACKET_MAX_SIZE, which limits the size of a packet (and hence the strings it contains) to 256KB (and this is pre-authentication, so no compression tricks are possible, here). Thank you very much! With best regards, -- the Qualys Security Advisory team
