During keyboard-interactive authentication, if the PAM stack inserts a delay on bad logins, the delay will be present for accounts that exist, and not present for accounts that do not. One solution for 3.9p1 is to set "ChallengeResponseAuthentication no" and "PasswordAuthentication yes" in sshd_config, since PasswordAuthentication does not have this issue.
Created attachment 765 [details] Make kbdint code call driver even for non-existent users
Created attachment 766 [details] Feed bogus input to PAM for invalid logins Note: you will need to apply *both* patches (#765 and #766) to completely fix the problem. Patch #766 partially by Colin Watson.
Created attachment 771 [details] Make kbdint call driver even for invalid logins Instead of always continuing, this patch now leaves it up to the individual drivers and adds a authctxt->valid check to bsdauth to maintain the current behavior for it.
This is now fixed in -current and the 3.9 branch: - (dtucker) [auth-pam.c] Bug #971: Prevent leaking information about user existence via keyboard-interactive/pam, in conjunction with previous auth2-chall.c change; with Colin Watson and djm.
Created attachment 775 [details] Patch for Kerberos timing difference for Valid and Invalid user For PAM-Passwd Authentication with KerberosAuthentication being set to yes, there exists a time difference for valid user and invalid user. The attached patch fixes that.
With the release of OpenSSH 4.0, these bugs are now closed. For details, see: http://www.openssh.com/txt/release-4.0