(A User Provides Information About Recent OpenSSH Changes) Re: OpenSSH's S/Key Implementation Information Disclosure Flaw Provides Remote Users With Information About Valid User Accounts - SecurityTracker

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

Home | View Topics | Search | Contact Us |

SecurityTracker
Archives

Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (Security) > S/Key

Vendors: OpenSSH.org

(A User Provides Information About Recent OpenSSH Changes) Re: OpenSSH's S/Key Implementation Information Disclosure Flaw Provides Remote Users With Information About Valid User Accounts

SecurityTracker Alert ID: 1002763

SecurityTracker URL: http://securitytracker.com/id/1002763

CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site)

Date: Nov 16 2001

Impact: Disclosure of system information

Description: An information disclosure vulnerability was reported in OpenSSH's implementation of the S/Key one-time password feature. A remote user may be able to determine limited information about valid user account names on the system.

It is reported that the OpenSSH S/Key implementation only provides the S/Key challenge string to a remote user if the user account exists and the user account is configured to user one-time passwords.

If the user account does not exist, OpenSSH reportedly requests a password. If the user account exists but is not configured for one-time passwords, OpenSSH reportedly "hangs up" on the remote user.

This can give a remote user information about valid user account names on the system.

Impact: A remote user can obtain information about valid user account names on the system.

Solution: A user reports that the response given by OpenSSH using S/Key depends on the version of OpenSSH and the version of the S/Key library. The user states that OpenSSH has switched away from creating fake S/Key challenges and instead depends on the skey/otp/bsdauth/whatever-library to created fake challenges. The user also remarks that, with a post-Nov 2000 OpenBSD, skeychallenge() creates fake challenges so OpenSSH does not need to implement fake challenges.

Vendor URL: www.openssh.org/ (Links to External Site)

Cause: Authentication error

Underlying OS: Linux (Any), UNIX (Any)

Message History: This archive entry is a follow-up to the message listed below.

OpenSSH's S/Key Implementation Information Disclosure Flaw Provides Remote Users With Information About Valid User Accounts

Source Message Contents

Date: Tue, 13 Nov 2001 13:00:04 +0100
Subject: Re: OpenSSH & S/Key information leakage

On Sun, Nov 11, 2001 at 06:29:38PM -0700, Joel Maslak wrote:
> There are some bad implementations of S/Key in client programs.  OpenSSH
> (at least on OpenBSD 2.9) is one such bad implementation.  OpenSSH only
> provides this challenge string if (1) the user exists and (2) the user is
> using one-time-passwords.

This depends very much on the version of the OpenSSH and the versions
of your skey library. OpenSSH switched away from creating fake skey
challenges, and now depends on the skey/otp/bsdauth/whatever-library to
created fake challenges. With BSD_AUTH it even depends on the
authentication algorithms available in the default class.

With a post-Nov 2000 OpenBSD, skeychallenge() creates fake challenges,
so OpenSSH does not need to care.

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us
Copyright 2013, SecurityGlobal.net LLC