On Tue, 2004-12-07 at 17:21 -0500, Marcus Lauer wrote: > I do hope that somebody fixes this, though. Any bug which > allows a dictionary attack on the root account, unlikely as it is to > work, is still surely a bad thing. > The dictionary attack that this bug allows only works if you put "PermitRootLogin" to "no" in the sshd config file. Here is a good description of the problem from Red Hat's bugzilla: With openssh configured to not allow remote root login (file: /etc/ssh/sshd_config, PermitRootLogin no), an attempt to log in remotely as root with the wrong password results in a 3 second delay followed by: Permission denied, please try again. If the correct password is entered, there is no delay before presenting the message: Permission denied, please try again. An attacker could measure the time between rejections with an attack tool and determine the root password. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=141642 I don't think the changelog entry Michal posted earlier has anything to do with this bug, so it should definitely go into bugzilla. Marc.
Attachment:
signature.asc
Description: This is a digitally signed message part
-- fedora-legacy-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-legacy-list
