Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.os.linux.misc > #24252
| From | William Unruh <unruh@invalid.ca> |
|---|---|
| Newsgroups | alt.os.linux, comp.os.linux.misc |
| Subject | Re: Vulnerability Affects All OpenSSH Versions Released in the Past Two Decades |
| Date | 2018-08-23 16:59 +0000 |
| Organization | A noiseless patient Spider |
| Message-ID | <plmp57$ooq$1@dont-email.me> (permalink) |
| References | <plklfo$4kg$1@news.mixmin.net> <plkmm8$t79$1@dont-email.me> <plko2r$i9f$1@tncsrv09.home.tnetconsulting.net> <plkv63$ab3$1@dont-email.me> <pllofa$fbr$1@news1.tnib.de> |
Cross-posted to 2 groups.
On 2018-08-23, Marc Haber <mh+usenetspam1118@zugschl.us> wrote: > [irrelevant crossposted group removed] > > > William Unruh <unruh@invalid.ca> wrote: >>On 2018-08-22, Grant Taylor <gtaylor@tnetconsulting.net> wrote: >>> On 08/22/2018 04:04 PM, William Unruh wrote: >>>> I would call it a pretty low impact bug, since usernames have never been >>>> very secret anyway. >>> Agreed. >>> >>> I think this is an information leek comparable to an error message >>> saying "your password is invalid" verses "no such user". >> >>According to the article, if the username is valid, the misformed packet >>is just dropped, while if the username is not valid, it is returned with >>an error message. Ie, yes it is similar. Not good, but hardly >>"Vulnerability Affects All OpenSSH Versions..." > > If password authentication is enabled on the target host, this greatly > reduces the space of username/password combinations to try and is > therefore a vulnerability one should address. Sure it is a minor vulnerability that should be fixed, but that is about it. Usernames have never been secret. It is the secrecy of passwords that is supposed to protect the system, NOT the secrecy of usernames. /etc/password is readable by anyone, and there you have all of the usernames. Usernames are NOT passwords, and anyone who relies on the secrecy of usernames to protect their account is an idiot. (Besides the one really really powerful username, root, is known by everyone in the world already). > > If password authentication is disabled, the space of possible keys to > try is so vastly huge, that I don't care to much about my user names > being vulnerable. Except of course this opens up the vulnerability of your machine to all other machines that have passwordless access to your system. That is far more scary than is the thought of someone knowing my username Except of course this opens up the vulnerability of your machine to all other machines that have passwordless access to your system. That is far more scary than is the thought of someone knowing my username. Yes, brute force is outrageously expensive, but do you really trust the sysadmins/users on all of the machines that you connect from? (I was once broken into because of passwordless access-- one machine 5000 miles away got broken into, and the attacker then followed the trail of passwordless access back to my machine. If user A has passwordless access from X to Y, the probability is high that A also has passwordless access from Y to X. Thus you look for where A logs in from and follow the breadcrumbs back. > > Greetings > Marc
Back to comp.os.linux.misc | Previous | Next — Previous in thread | Next in thread | Find similar
Vulnerability Affects All OpenSSH Versions Released in the Past Two Decades Nobody <noreply@mixnym.net> - 2018-08-22 16:44 -0500
Re: Vulnerability Affects All OpenSSH Versions Released in the Past Two Decades William Unruh <unruh@invalid.ca> - 2018-08-22 22:04 +0000
Re: Vulnerability Affects All OpenSSH Versions Released in the Past Two Decades Grant Taylor <gtaylor@tnetconsulting.net> - 2018-08-22 16:22 -0600
Re: Vulnerability Affects All OpenSSH Versions Released in the Past Two Decades William Unruh <unruh@invalid.ca> - 2018-08-23 00:29 +0000
Re: Vulnerability Affects All OpenSSH Versions Released in the Past Two Decades Arlen Holder <arlenholder@nospam.net> - 2018-08-23 01:37 +0000
Re: Vulnerability Affects All OpenSSH Versions Released in the Past Two Decades Marc Haber <mh+usenetspam1118@zugschl.us> - 2018-08-23 09:41 +0200
Re: Vulnerability Affects All OpenSSH Versions Released in the Past Two Decades Rich <rich@example.invalid> - 2018-08-23 11:19 +0000
random passwords Ivan Shmakov <ivan@siamics.net> - 2018-08-23 14:05 +0000
Re: random passwords Jean-David Beyer <jeandavid8@verizon.net> - 2018-08-23 10:39 -0400
Re: random passwords Rich <rich@example.invalid> - 2018-08-23 16:33 +0000
Re: random passwords Ivan Shmakov <ivan@siamics.net> - 2018-08-23 16:57 +0000
Re: random passwords Rich <rich@example.invalid> - 2018-08-23 17:07 +0000
Re: random passwords Robert Heller <heller@deepsoft.com> - 2018-08-23 09:47 -0500
Re: random passwords Wouter Verhelst <w@uter.be> - 2018-08-24 10:16 +0200
Re: random passwords The Natural Philosopher <tnp@invalid.invalid> - 2018-08-24 11:46 +0100
Re: random passwords Jean-David Beyer <jeandavid8@verizon.net> - 2018-08-24 09:19 -0400
Re: random passwords Daniel60 <daniel47@eternal-september.org> - 2018-08-25 21:57 +1000
Re: random passwords The Natural Philosopher <tnp@invalid.invalid> - 2018-08-25 13:32 +0100
Re: random passwords Charlie Gibbs <cgibbs@kltpzyxm.invalid> - 2018-08-25 20:05 +0000
Re: random passwords Richard Kettlewell <invalid@invalid.invalid> - 2018-08-23 15:50 +0100
Re: random passwords Ivan Shmakov <ivan@siamics.net> - 2018-08-23 16:40 +0000
Re: random passwords Rich <rich@example.invalid> - 2018-08-23 17:12 +0000
Re: random passwords Richard Kettlewell <invalid@invalid.invalid> - 2018-08-23 18:49 +0100
Re: random passwords Ivan Shmakov <ivan@siamics.net> - 2018-09-01 13:45 +0000
Re: random passwords Rich <rich@example.invalid> - 2018-09-01 15:02 +0000
Re: random passwords Allodoxaphobia <knock_yourself_out@example.net> - 2018-09-01 16:54 +0000
Re: random passwords Richard Kettlewell <invalid@invalid.invalid> - 2018-09-04 07:37 +0100
Re: random passwords Rich <rich@example.invalid> - 2018-08-23 15:12 +0000
Re: random passwords Jean-David Beyer <jeandavid8@verizon.net> - 2018-08-23 12:49 -0400
Re: random passwords Rich <rich@example.invalid> - 2018-08-23 17:18 +0000
Re: random passwords William Unruh <unruh@invalid.ca> - 2018-08-23 17:27 +0000
Re: random passwords Rich <rich@example.invalid> - 2018-08-23 17:44 +0000
Re: random passwords Grant Taylor <gtaylor@tnetconsulting.net> - 2018-08-23 12:38 -0600
Re: random passwords Grant Taylor <gtaylor@tnetconsulting.net> - 2018-08-23 12:47 -0600
Re: random passwords William Unruh <unruh@invalid.ca> - 2018-08-24 02:20 +0000
Re: random passwords Jasen Betts <jasen@xnet.co.nz> - 2018-08-24 05:10 +0000
Re: random passwords The Natural Philosopher <tnp@invalid.invalid> - 2018-08-24 02:32 +0100
Re: random passwords Rich <rich@example.invalid> - 2018-08-24 01:56 +0000
Re: random passwords The Natural Philosopher <tnp@invalid.invalid> - 2018-08-24 11:37 +0100
Re: random passwords Grant Taylor <gtaylor@tnetconsulting.net> - 2018-08-23 20:13 -0600
Re: random passwords The Natural Philosopher <tnp@invalid.invalid> - 2018-08-24 11:42 +0100
Re: random passwords Chris Elvidge <chris@mshome.net> - 2018-08-24 11:55 +0100
Re: random passwords Paul <nospam@needed.invalid> - 2018-08-24 08:37 -0400
Re: random passwords Chris Elvidge <chris@mshome.net> - 2018-08-24 13:51 +0100
Re: random passwords Paul <nospam@needed.invalid> - 2018-08-24 12:41 -0400
Re: random passwords not@telling.you.invalid (Computer Nerd Kev) - 2018-08-25 02:03 +0000
Re: random passwords Java Jive <java@evij.com.invalid> - 2018-08-25 11:32 +0100
Re: random passwords Paul <nospam@needed.invalid> - 2018-08-25 07:49 -0400
Re: random passwords not@telling.you.invalid (Computer Nerd Kev) - 2018-08-27 23:12 +0000
Re: random passwords not@telling.you.invalid (Computer Nerd Kev) - 2018-08-27 23:40 +0000
Re: random passwords Paul <nospam@needed.invalid> - 2018-08-27 20:10 -0400
Re: random passwords William Unruh <unruh@invalid.ca> - 2018-08-28 00:17 +0000
Re: random passwords Jean-David Beyer <jeandavid8@verizon.net> - 2018-08-27 20:52 -0400
Re: random passwords John Hasler <jhasler@newsguy.com> - 2018-08-27 22:31 -0500
Re: random passwords The Natural Philosopher <tnp@invalid.invalid> - 2018-08-28 10:23 +0100
Re: random passwords William Unruh <unruh@invalid.ca> - 2018-08-28 14:45 +0000
Re: random passwords not@telling.you.invalid (Computer Nerd Kev) - 2018-08-28 23:00 +0000
Re: random passwords William Unruh <unruh@invalid.ca> - 2018-08-29 01:22 +0000
Re: random passwords not@telling.you.invalid (Computer Nerd Kev) - 2018-08-29 07:21 +0000
Re: random passwords The Natural Philosopher <tnp@invalid.invalid> - 2018-08-29 11:37 +0100
Re: random passwords William Unruh <unruh@invalid.ca> - 2018-08-29 12:25 +0000
Re: random passwords The Natural Philosopher <tnp@invalid.invalid> - 2018-08-29 19:35 +0100
Re: random passwords John Hasler <jhasler@newsguy.com> - 2018-08-29 17:46 -0500
Re: random passwords The Natural Philosopher <tnp@invalid.invalid> - 2018-08-30 06:53 +0100
Re: random passwords John Hasler <jhasler@newsguy.com> - 2018-08-30 07:48 -0500
Re: random passwords The Natural Philosopher <tnp@invalid.invalid> - 2018-08-30 19:07 +0100
Re: random passwords William Unruh <unruh@invalid.ca> - 2018-08-31 00:36 +0000
Re: random passwords The Natural Philosopher <tnp@invalid.invalid> - 2018-08-31 03:10 +0100
Re: random passwords Chris Elvidge <chris@mshome.net> - 2018-08-31 12:26 +0100
Re: random passwords William Unruh <unruh@invalid.ca> - 2018-08-29 23:36 +0000
Re: random passwords The Natural Philosopher <tnp@invalid.invalid> - 2018-08-29 11:35 +0100
Re: random passwords not@telling.you.invalid (Computer Nerd Kev) - 2018-08-29 23:45 +0000
Re: random passwords Ivan Shmakov <ivan@siamics.net> - 2018-08-24 18:07 +0000
Re: random passwords William Unruh <unruh@invalid.ca> - 2018-08-24 20:27 +0000
Re: random passwords Bud Frede <frede@mouse-potato.com> - 2018-09-03 07:23 -0400
Re: random passwords William Unruh <unruh@invalid.ca> - 2018-08-23 17:02 +0000
Re: random passwords Ivan Shmakov <ivan@siamics.net> - 2018-08-23 17:25 +0000
Re: random passwords William Unruh <unruh@invalid.ca> - 2018-08-23 17:32 +0000
Re: random passwords Rich <rich@example.invalid> - 2018-08-23 17:46 +0000
Re: random passwords Ivan Shmakov <ivan@siamics.net> - 2018-08-23 18:07 +0000
Re: random passwords Grant Taylor <gtaylor@tnetconsulting.net> - 2018-08-23 12:51 -0600
Re: random passwords Allodoxaphobia <knock_yourself_out@example.net> - 2018-08-24 02:35 +0000
Re: random passwords John Hasler <jhasler@newsguy.com> - 2018-08-25 11:13 -0500
Re: random passwords Rich <rich@example.invalid> - 2018-08-25 17:24 +0000
Re: random passwords John Hasler <jhasler@newsguy.com> - 2018-08-25 13:17 -0500
Re: random passwords Rich <rich@example.invalid> - 2018-08-25 20:27 +0000
Re: random passwords Robert Heller <heller@deepsoft.com> - 2018-08-25 21:28 -0500
Re: random passwords Jean-David Beyer <jeandavid8@verizon.net> - 2018-08-26 01:19 -0400
Re: random passwords Rich <rich@example.invalid> - 2018-08-26 13:43 +0000
Re: random passwords Ivan Shmakov <ivan@siamics.net> - 2018-08-26 14:15 +0000
Re: random passwords Rich <rich@example.invalid> - 2018-08-26 15:18 +0000
Re: random passwords Robert Heller <heller@deepsoft.com> - 2018-08-26 09:30 -0500
Re: random passwords Michael Black <mblack@pubnix.net> - 2018-08-26 11:44 -0400
Re: random passwords John Hasler <jhasler@newsguy.com> - 2018-08-26 16:40 -0500
Re: random passwords Robert Heller <heller@deepsoft.com> - 2018-08-26 21:11 -0500
Re: random passwords Allodoxaphobia <knock_yourself_out@example.net> - 2018-08-28 13:29 +0000
Re: random passwords The Natural Philosopher <tnp@invalid.invalid> - 2018-08-28 14:32 +0100
Re: random passwords The Natural Philosopher <tnp@invalid.invalid> - 2018-08-27 07:17 +0100
Re: random passwords Melzzzzz <Melzzzzz@zzzzz.com> - 2018-08-27 06:21 +0000
Re: random passwords The Natural Philosopher <tnp@invalid.invalid> - 2018-08-27 08:15 +0100
Re: random passwords Roger Blake <rogblake@iname.invalid> - 2018-08-27 22:44 +0000
Re: random passwords azigni <azigni@yahoo.com> - 2018-08-26 12:55 -0600
Re: random passwords Charlie Gibbs <cgibbs@kltpzyxm.invalid> - 2018-08-26 19:19 +0000
Re: random passwords Robert Heller <heller@deepsoft.com> - 2018-08-26 16:09 -0500
Re: random passwords Rich <rich@example.invalid> - 2018-08-26 21:32 +0000
Re: random passwords Robert Heller <heller@deepsoft.com> - 2018-08-26 21:11 -0500
Re: random passwords The Natural Philosopher <tnp@invalid.invalid> - 2018-08-27 07:19 +0100
Re: random passwords Doug McIntyre <merlyn@dork.geeks.org> - 2018-08-26 00:41 -0500
Re: random passwords Robert Heller <heller@deepsoft.com> - 2018-08-26 06:48 -0500
Re: Vulnerability Affects All OpenSSH Versions Released in the Past Two Decades Marc Haber <mh+usenetspam1118@zugschl.us> - 2018-08-23 19:49 +0200
Re: Vulnerability Affects All OpenSSH Versions Released in the Past Two Decades Bud Frede <frede@mouse-potato.com> - 2018-08-26 18:52 -0400
Re: Vulnerability Affects All OpenSSH Versions Released in the Past Two Decades William Unruh <unruh@invalid.ca> - 2018-08-27 00:06 +0000
Re: Vulnerability Affects All OpenSSH Versions Released in the Past Two Decades Dan Espen <dan1espen@gmail.com> - 2018-08-26 21:01 -0400
Re: Vulnerability Affects All OpenSSH Versions Released in the Past Two Decades William Unruh <unruh@invalid.ca> - 2018-08-23 16:59 +0000
Re: Vulnerability Affects All OpenSSH Versions Released in the Past Two Decades Eli the Bearded <*@eli.users.panix.com> - 2018-08-23 18:46 +0000
Re: Vulnerability Affects All OpenSSH Versions Released in the Past Two Decades Grant Taylor <gtaylor@tnetconsulting.net> - 2018-08-23 13:03 -0600
Re: Vulnerability Affects All OpenSSH Versions Released in the Past Two Decades Eli the Bearded <*@eli.users.panix.com> - 2018-08-24 00:33 +0000
Re: Vulnerability Affects All OpenSSH Versions Released in the Past Two Decades Grant Taylor <gtaylor@tnetconsulting.net> - 2018-08-23 18:43 -0600
Re: Vulnerability Affects All OpenSSH Versions Released in the Past Two Decades Eli the Bearded <*@eli.users.panix.com> - 2018-08-24 05:16 +0000
Re: Vulnerability Affects All OpenSSH Versions Released in the Past Two Decades Grant Taylor <gtaylor@tnetconsulting.net> - 2018-08-23 23:43 -0600
secure file distribution Ivan Shmakov <ivan@siamics.net> - 2018-08-25 17:05 +0000
Re: Vulnerability Affects All OpenSSH Versions Released in the Past Two Decades William Unruh <unruh@invalid.ca> - 2018-08-24 02:26 +0000
Re: Vulnerability Affects All OpenSSH Versions Released in the Past Two Decades elvis-85650@notatla.org.uk - 2018-08-23 19:06 +0000
csiph-web