Bug 611

Summary:

Unnecessary authentication attempt in auth2-none.c creates delay

Product:

Portable OpenSSH

Reporter:

Matthew Sachs <matthewg>

Component:

sshd

Assignee:

OpenSSH Bugzilla mailing list <openssh-bugs>

Status:

CLOSED WONTFIX

Severity:

normal

Priority:

Version:

3.6.1p2

Hardware:

All

OS:

All

Attachments:

Description	Flags
Patch to fix the issue	none

Description Matthew Sachs 2003-07-01 10:32:13 AEST

The userauth_none function, which is called at the start of every SSH2
connection, attempts to authenticate the user by calling auth_password with an
empty password.  In the case where the user's password is not empty, which will
be the majority of the time, this can create a noticable delay, since many
systems are set up to insert a pause after a failed authentication attempt in
order to prevent brute-force attacks.  The attached patch will suppress the
auth_password call in userauth_none if the PermitEmptyPasswords option is turned
off.  On my system (Debian GNU/Linux sid), this eliminates a two-second delay in
logging in.

Comment 1 Matthew Sachs 2003-07-01 10:34:13 AEST

Created attachment 351 [details]
Patch to fix the issue

Tested against 3.6.1p2, also applies to -current.

Comment 2 Ben Lindstrom 2003-07-01 10:36:59 AEST

Potentally leaks information about user accounts accessiblity.

Comment 3 Matthew Sachs 2003-07-01 10:43:57 AEST

Is there a proper way to fix this bug?  My users are complaining about the delay.

Comment 4 Damien Miller 2004-04-14 12:24:19 AEST

Mass change of RESOLVED bugs to CLOSED