Re: ssh security

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: For users of Fedora Core releases <fedora-list@xxxxxxxxxx>
Subject: Re: ssh security
From: Florin Andrei <florin@xxxxxxxxxxxxxxx>
Date: Tue, 03 Jan 2006 15:21:12 -0800
In-reply-to: <1136305607.4430.25.camel@xxxxxxxxxxxxxxxxxxx>
References: <c80517ed0512252124s2d061627m771c58e42eaf8807@xxxxxxxxxxxxxx> <200512261848.05336.lists@xxxxxxxxxxxx> <c80517ed0512261656y63dda19dl1cda0dd273132258@xxxxxxxxxxxxxx> <43B09C03.9050401@xxxxxxxxx> <279901c60a88$d0ae1f20$1225a8c0@kittycat> <1135864941.3279.6.camel@xxxxxxxxxxxxx> <20060103134431.GC5616@xxxxxxxxxxxxxxxxxxx> <1136305607.4430.25.camel@xxxxxxxxxxxxxxxxxxx>
Reply-to: For users of Fedora Core releases <fedora-list@xxxxxxxxxx>

On Tue, 2006-01-03 at 11:26 -0500, Michael H. Warfield wrote:

> It's considered axiomatic that security
> systems should NEVER disclose that level of information, even to the
> point of not giving a different error (message or code) for invalid
> password vs invalid account.  Even timing (responding too quickly if the
> account doesn't exist compared to wrong password) is considered a
> SERIOUS no-no.  I would have to consider that sshdfilter a security
> vulnerability, not a security tool.

Fully agree.

Differences in the system's behavior, based on usernames, visible from
outside, are a security issue.

-- 
Florin Andrei

http://florin.myip.org/

References:
- Re: ssh security
  - From: James Wilkinson
- Re: ssh security
  - From: Michael H. Warfield

Prev by Date: Re: my fc 4 isnt yum'y enough!
Next by Date: Re: Manual Registration Comcast High Speed Internet in Fedora 4
Previous by thread: Re: ssh security
Next by thread: Re: ssh security
Index(es):
- Date
- Thread

[Index of Archives] [Current Fedora Users] [Fedora Desktop] [Fedora SELinux] [Yosemite News] [Yosemite Photos] [KDE Users] [Fedora Tools] [Fedora Docs]