Rivoreo Source Code Repositories
src.rivoreo.one / security / openssh-library / 283b97ff33ea2c641161950849931bd578de6946
commit283b97ff33ea2c641161950849931bd578de6946[log] [download]
authorDarren Tucker <dtucker@zip.com.au>Fri Jul 15 13:49:44 2016 +1000
committerDarren Tucker <dtucker@zip.com.au>Fri Jul 15 13:49:44 2016 +1000
tree2f8127f4ca0bd727252c860e105ad1140ce54b6b
parent9286875a73b2de7736b5e50692739d314cd8d9dc [diff]
Mitigate timing of disallowed users PAM logins.

When sshd decides to not allow a login (eg PermitRootLogin=no) and
it's using PAM, it sends a fake password to PAM so that the timing for
the failure is not noticeably different whether or not the password
is correct.  This behaviour can be detected by sending a very long
password string which is slower to hash than the fake password.

Mitigate by constructing an invalid password that is the same length
as the one from the client and thus takes the same time to hash.
Diff from djm@
1 file changed
tree: 2f8127f4ca0bd727252c860e105ad1140ce54b6b
  1. .skipped-commit-ids
  2. CREDITS
  3. INSTALL
  4. LICENCE
  5. Makefile.in
  6. OVERVIEW
  7. PROTOCOL
  8. PROTOCOL.agent
  9. PROTOCOL.certkeys
  10. PROTOCOL.chacha20poly1305
  11. PROTOCOL.key
  12. PROTOCOL.krl
  13. PROTOCOL.mux
  14. README
  15. README.dns
  16. README.platform
  17. README.privsep
  18. README.tun
  19. TODO
  20. aclocal.m4
  21. addrmatch.c
  22. atomicio.c
  23. atomicio.h
  24. audit-bsm.c
  25. audit-linux.c
  26. audit.c
  27. audit.h
  28. auth-bsdauth.c
  29. auth-chall.c
  30. auth-krb5.c
  31. auth-options.c
  32. auth-options.h
  33. auth-pam.c
  34. auth-pam.h
  35. auth-passwd.c
  36. auth-rh-rsa.c
  37. auth-rhosts.c
  38. auth-rsa.c
  39. auth-shadow.c
  40. auth-sia.c
  41. auth-sia.h
  42. auth-skey.c
  43. auth.c
  44. auth.h
  45. auth1.c
  46. auth2-chall.c
  47. auth2-gss.c
  48. auth2-hostbased.c
  49. auth2-kbdint.c
  50. auth2-none.c
  51. auth2-passwd.c
  52. auth2-pubkey.c
  53. auth2.c
  54. authfd.c
  55. authfd.h
  56. authfile.c
  57. authfile.h
  58. bitmap.c
  59. bitmap.h
  60. blocks.c
  61. bufaux.c
  62. bufbn.c
  63. bufec.c
  64. buffer.c
  65. buffer.h
  66. buildpkg.sh.in
  67. canohost.c
  68. canohost.h
  69. chacha.c
  70. chacha.h
  71. channels.c
  72. channels.h
  73. cipher-3des1.c
  74. cipher-aes.c
  75. cipher-aesctr.c
  76. cipher-aesctr.h
  77. cipher-bf1.c
  78. cipher-chachapoly.c
  79. cipher-chachapoly.h
  80. cipher-ctr.c
  81. cipher.c
  82. cipher.h
  83. cleanup.c
  84. clientloop.c
  85. clientloop.h
  86. compat.c
  87. compat.h
  88. config.guess
  89. config.sub
  90. configure.ac
  91. contrib/
  92. crc32.c
  93. crc32.h
  94. crypto_api.h
  95. deattack.c
  96. deattack.h
  97. defines.h
  98. dh.c
  99. dh.h
  100. digest-libc.c
  101. digest-openssl.c
  102. digest.h
  103. dispatch.c
  104. dispatch.h
  105. dns.c
  106. dns.h
  107. ed25519.c
  108. entropy.c
  109. entropy.h
  110. fatal.c
  111. fe25519.c
  112. fe25519.h
  113. fixalgorithms
  114. fixpaths
  115. fixprogs
  116. ge25519.c
  117. ge25519.h
  118. ge25519_base.data
  119. groupaccess.c
  120. groupaccess.h
  121. gss-genr.c
  122. gss-serv-krb5.c
  123. gss-serv.c
  124. hash.c
  125. hmac.c
  126. hmac.h
  127. hostfile.c
  128. hostfile.h
  129. includes.h
  130. install-sh
  131. kex.c
  132. kex.h
  133. kexc25519.c
  134. kexc25519c.c
  135. kexc25519s.c
  136. kexdh.c
  137. kexdhc.c
  138. kexdhs.c
  139. kexecdh.c
  140. kexecdhc.c
  141. kexecdhs.c
  142. kexgex.c
  143. kexgexc.c
  144. kexgexs.c
  145. key.c
  146. key.h
  147. krl.c
  148. krl.h
  149. log.c
  150. log.h
  151. loginrec.c
  152. loginrec.h
  153. logintest.c
  154. mac.c
  155. mac.h
  156. match.c
  157. match.h
  158. md-sha256.c
  159. md5crypt.c
  160. md5crypt.h
  161. mdoc2man.awk
  162. misc.c
  163. misc.h
  164. mkinstalldirs
  165. moduli
  166. moduli.5
  167. moduli.c
  168. monitor.c
  169. monitor.h
  170. monitor_fdpass.c
  171. monitor_fdpass.h
  172. monitor_mm.c
  173. monitor_mm.h
  174. monitor_wrap.c
  175. monitor_wrap.h
  176. msg.c
  177. msg.h
  178. mux.c
  179. myproposal.h
  180. nchan.c
  181. nchan.ms
  182. nchan2.ms
  183. opacket.c
  184. opacket.h
  185. openbsd-compat/
  186. openssh.xml.in
  187. opensshd.init.in
  188. packet.c
  189. packet.h
  190. pathnames.h
  191. pkcs11.h
  192. platform-pledge.c
  193. platform-tracing.c
  194. platform.c
  195. platform.h
  196. poly1305.c
  197. poly1305.h
  198. progressmeter.c
  199. progressmeter.h
  200. readconf.c
  201. readconf.h
  202. readpass.c
  203. regress/
  204. rijndael.c
  205. rijndael.h
  206. rsa.c
  207. rsa.h
  208. sandbox-capsicum.c
  209. sandbox-darwin.c
  210. sandbox-null.c
  211. sandbox-pledge.c
  212. sandbox-rlimit.c
  213. sandbox-seccomp-filter.c
  214. sandbox-solaris.c
  215. sandbox-systrace.c
  216. sc25519.c
  217. sc25519.h
  218. scp.1
  219. scp.c
  220. servconf.c
  221. servconf.h
  222. serverloop.c
  223. serverloop.h
  224. session.c
  225. session.h
  226. sftp-client.c
  227. sftp-client.h
  228. sftp-common.c
  229. sftp-common.h
  230. sftp-glob.c
  231. sftp-server-main.c
  232. sftp-server.8
  233. sftp-server.c
  234. sftp.1
  235. sftp.c
  236. sftp.h
  237. smult_curve25519_ref.c
  238. ssh-add.1
  239. ssh-add.c
  240. ssh-agent.1
  241. ssh-agent.c
  242. ssh-dss.c
  243. ssh-ecdsa.c
  244. ssh-ed25519.c
  245. ssh-gss.h
  246. ssh-keygen.1
  247. ssh-keygen.c
  248. ssh-keyscan.1
  249. ssh-keyscan.c
  250. ssh-keysign.8
  251. ssh-keysign.c
  252. ssh-pkcs11-client.c
  253. ssh-pkcs11-helper.8
  254. ssh-pkcs11-helper.c
  255. ssh-pkcs11.c
  256. ssh-pkcs11.h
  257. ssh-rsa.c
  258. ssh-sandbox.h
  259. ssh.1
  260. ssh.c
  261. ssh.h
  262. ssh1.h
  263. ssh2.h
  264. ssh_api.c
  265. ssh_api.h
  266. ssh_config
  267. ssh_config.5
  268. sshbuf-getput-basic.c
  269. sshbuf-getput-crypto.c
  270. sshbuf-misc.c
  271. sshbuf.c
  272. sshbuf.h
  273. sshconnect.c
  274. sshconnect.h
  275. sshconnect1.c
  276. sshconnect2.c
  277. sshd.8
  278. sshd.c
  279. sshd_config
  280. sshd_config.5
  281. ssherr.c
  282. ssherr.h
  283. sshkey.c
  284. sshkey.h
  285. sshlogin.c
  286. sshlogin.h
  287. sshpty.c
  288. sshpty.h
  289. sshtty.c
  290. survey.sh.in
  291. ttymodes.c
  292. ttymodes.h
  293. uidswap.c
  294. uidswap.h
  295. umac.c
  296. umac.h
  297. utf8.c
  298. utf8.h
  299. uuencode.c
  300. uuencode.h
  301. verify.c
  302. version.h
  303. xmalloc.c
  304. xmalloc.h