Bug 611 - Unnecessary authentication attempt in auth2-none.c creates delay
Summary: Unnecessary authentication attempt in auth2-none.c creates delay
Status: CLOSED WONTFIX
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: sshd (show other bugs)
Version: 3.6.1p2
Hardware: All All
: P2 normal
Assignee: OpenSSH Bugzilla mailing list
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2003-07-01 10:32 AEST by Matthew Sachs
Modified: 2004-04-14 12:24 AEST (History)
0 users

See Also:

Attachments
Patch to fix the issue (529 bytes, patch)
2003-07-01 10:34 AEST, Matthew Sachs 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Matthew Sachs 2003-07-01 10:32:13 AEST 
The userauth_none function, which is called at the start of every SSH2
connection, attempts to authenticate the user by calling auth_password with an
empty password.  In the case where the user's password is not empty, which will
be the majority of the time, this can create a noticable delay, since many
systems are set up to insert a pause after a failed authentication attempt in
order to prevent brute-force attacks.  The attached patch will suppress the
auth_password call in userauth_none if the PermitEmptyPasswords option is turned
off.  On my system (Debian GNU/Linux sid), this eliminates a two-second delay in
logging in.
Comment 1 Matthew Sachs 2003-07-01 10:34:13 AEST 
Created attachment 351 [details]
Patch to fix the issue

Tested against 3.6.1p2, also applies to -current.
Comment 2 Ben Lindstrom 2003-07-01 10:36:59 AEST 
Potentally leaks information about user accounts accessiblity.
Comment 3 Matthew Sachs 2003-07-01 10:43:57 AEST 
Is there a proper way to fix this bug?  My users are complaining about the delay.
Comment 4 Damien Miller 2004-04-14 12:24:19 AEST 
Mass change of RESOLVED bugs to CLOSED