Re: Openssh use enumeration

Selphie Keller <selphie.keller@xxxxxxxxx> · Wed, 20 Jul 2016 21:34:07 -0600

yeah I like this idea, fixes the issue with blowfish hashes and non root
passwords, maybe random delay as the final fall back if no salts/passwords
are found. Seems rare, but I do have one box that I use ssh keys on and
none of the accounts have a hash set, but I also don't have password auth
enabled.

On 20 July 2016 at 21:18, Darren Tucker <dtucker@xxxxxxxxxx> wrote:

> On Wed, Jul 20, 2016 at 09:02:57PM -0600, Selphie Keller wrote:
> > I wonder if could be useful to set the fall back account to something
> user
> > defined to avoid suggesting people add passwords to root, though I do
> like
> > root since the account is always there,
>
> Since committing that diff I've heard of people running in production
> with no root password (ie *LK*, !! or similar).
>
> It's about the same amount of code to search for the first account with
> a valid salt, which would avoid this problem in the case where the root
> account doesn't have a real password.
>
> djm: what do you think?
>
> diff --git a/openbsd-compat/xcrypt.c b/openbsd-compat/xcrypt.c
> index 8913bb8..5385243 100644
> --- a/openbsd-compat/xcrypt.c
> +++ b/openbsd-compat/xcrypt.c
> @@ -78,14 +78,18 @@ pick_salt(void)
>         if (salt[0] != '\0')
>                 return salt;
>         strlcpy(salt, "xx", sizeof(salt));
> -       if ((pw = getpwuid(0)) == NULL)
> -               return salt;
> -       passwd = shadow_pw(pw);
> -       if (passwd[0] != '$' || (p = strrchr(passwd + 1, '$')) == NULL)
> -               return salt;  /* no $, DES */
> -       typelen = p - passwd + 1;
> -       strlcpy(salt, passwd, MIN(typelen, sizeof(salt)));
> -       explicit_bzero(passwd, strlen(passwd));
> +       setpwent();
> +       while ((pw = getpwent()) != NULL) {
> +               passwd = shadow_pw(pw);
> +               if (passwd[0] == '$' && (p = strrchr(passwd+1, '$')) !=
> NULL) {
> +                       typelen = p - passwd + 1;
> +                       strlcpy(salt, passwd, MIN(typelen, sizeof(salt)));
> +                       explicit_bzero(passwd, strlen(passwd));
> +                       goto out;
> +               }
> +       }
> + out:
> +       endpwent();
>         return salt;
>  }
>
>
> --
> Darren Tucker (dtucker at zip.com.au)
> GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
>     Good judgement comes with experience. Unfortunately, the experience
> usually comes from bad judgement.
>
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev