diff options
author | Darren Tucker <dtucker@zip.com.au> | 2016-07-15 13:49:44 +1000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2016-07-22 13:59:49 +0100 |
commit | dde63f7f998ac3812a26bbb2c1b2947f24fcd060 (patch) | |
tree | be4b41e362d31150cc84039aa6150ccb637d8107 /openbsd-compat/getrrsetbyname-ldns.c | |
parent | e5ef9d3942cebda819a6fd81647b51c8d87d23df (diff) |
Mitigate timing of disallowed users PAM logins.
When sshd decides to not allow a login (eg PermitRootLogin=no) and
it's using PAM, it sends a fake password to PAM so that the timing for
the failure is not noticeably different whether or not the password
is correct. This behaviour can be detected by sending a very long
password string which is slower to hash than the fake password.
Mitigate by constructing an invalid password that is the same length
as the one from the client and thus takes the same time to hash.
Diff from djm@
Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=283b97ff33ea2c641161950849931bd578de6946
Bug-Debian: https://bugs.debian.org/831902
Last-Update: 2016-07-22
Patch-Name: CVE-2016-6210-2.patch
Diffstat (limited to 'openbsd-compat/getrrsetbyname-ldns.c')
0 files changed, 0 insertions, 0 deletions