On Thu, 1 May 2003, Ethan Benson wrote: > ive noticed something similar in its handling of PermitRootLogin, if > this option is set to `no' you get the following behavior: > > $ ssh root@host > root@host's password: <- arbitrary (non-null) string > [2 secs delay] > Permission denied, please try again.a > > $ ssh root@host > root@host's password: <- correct root password > [no delay] > Permission denied, please try again. > > i haven't checked the current version to see if this is still true. It is, also in the latest OpenSSH_3.6.1p2. I'm not sure if this behaviour has serios security implications, however it can be "fixed" applying the same workaround suggested for CAN-2003-0190: use the "nodelay" option for pam_unix.so. -- Marco Ivaldi Chief Security Officer Data Security Division @ Mediaservice.net Srl http://mediaservice.net/
