I wonder if could be useful to set the fall back account to something user defined to avoid suggesting people add passwords to root, though I do like root since the account is always there, but I myself would do that invalid pass before actually adding a real pass to root, however I think it would be nice if there was a sshd_config option for fallback_timing_account to let the user specify something other then root like some generic user they already have that doesn't involve root. Or have ssh create an dummy account on the system that has only a invalid password. The fall back to DES seems ok, but not sure it would fully resolve the issue, since timing for DES and sha family would be different, but does fix the instant fail for crypt not understanding blowfish. The random delay idea is pretty good it would make timing analysis difficult. I wonder if DES + random delay in event root has no password could be an option. On 20 July 2016 at 20:48, Darren Tucker <dtucker@xxxxxxxxxx> wrote: > On Thu, Jul 21, 2016 at 12:31 PM, Selphie Keller > <selphie.keller@xxxxxxxxx> wrote: > > Ahh i see, just got up to speed on the issue, so seems like the issue is > > related to blowfish being faster then sha family hashing for longer > length > > passwords, > > or the system's crypt() not understanding $2a$ -style salts, which > most glibcs don't. On those, crypt fails immediately due to invalid > salt. > > > so there is a time lag difference between the blowfish internal > > hash and the sha family hash, though this could be tricky to fix since > some > > systems may still use blowfish based hashing and changing the internal > hash > > The best I could come up with (which is what I implemented[1]) was to > look the crypt method used for root's password and use that, falling > back to DES if that fails. That scheme won't help if you don't set a > root password (or set it to *LK* or similar), but short of surveying > all accounts on the system I'm not sure how to do much better. > > [1] > https://anongit.mindrot.org/openssh.git/commit/?id=9286875a73b2de7736b5e50692739d314cd8d9dc > > -- > Darren Tucker (dtucker at zip.com.au) > GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. > _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
