DescriptionOpenSSH portable 4.1 on SUSE Linux, and possibly other platforms and versions, and possibly under limited configurations, allows remote attackers to determine valid usernames via timing discrepancies in which responses take longer for valid usernames than invalid ones, as demonstrated by sshtime. NOTE: as of 20061014, it appears that this issue is dependent on the use of manually-set passwords that causes delays when processing /etc/shadow due to an increased number of rounds.
Overall state of this security issue: Ignore
This issue is currently rated as having moderate severity.
|National Vulnerability Database|
Note from the SUSE Security TeamThis issue affects SUSE Linux Enterprise and openSUSE as currently there is no blinding implemented. Given that openssh login attempts are usually rate limited to reduce risk of SSH worms, this rate limiting will also make this user account presence guessing problem ineffective. In general we consider this a minor issue and are not planning fixes for it at this time. SUSE Bugzilla entries: 1105010 [REOPENED], 874752, 881234 [ASSIGNED] No SUSE Security Announcements cross referenced.
Status of this issue by product and package
Please note that this evaluation state might be work in progress, incomplete or outdated. Also information for service packs in the LTSS phase is only included for issues meeting the LTSS criteria. If in doubt, feel free to contact us for clarification.
|SUSE Linux Enterprise Desktop 11 SP3||openssh||Affected|
|SUSE Linux Enterprise Desktop 12 GA||openssh||Affected|
|SUSE Linux Enterprise Server 11 SP3||openssh||Affected|
|SUSE Linux Enterprise Server 12 GA||openssh||Affected|
|SUSE Linux Enterprise Server for VMWare 11 SP3||openssh||Affected|