Darren, If you have time could you try the actual tool against the new patch curious to see how it stands up https://github.com/c0r3dump3d/osueta On 20 July 2016 at 22:27, Darren Tucker <dtucker@xxxxxxxxxx> wrote: > On Thu, Jul 21, 2016 at 1:48 PM, Darren Tucker <dtucker@xxxxxxxxxx> wrote: > [...] > > Well if there are no accounts with a valid salt then there's also no > > valid account to compare the timing of invalid accounts against. > > Worst case that'd be DES crypt vs empty password and I'm not sure if > > you'd be able to pick that out of the background crypto. > > I just measured the speed of DES crypt on a somewhat elderly 2.1GHz > Xeon X3210 at about 7 microseconds. Good luck picking that out of > Diffie-Hellman exchange over a network. > > -- > Darren Tucker (dtucker at zip.com.au) > GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. > _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
