On Fri, 24 Aug 2018, Solar Designer wrote: > Hi Damien, > > Thank you for sharing these thoughts with the community. > > On Fri, Aug 24, 2018 at 10:58:20AM +1000, Damien Miller wrote: > > Finally, and perhaps most importantly: there's a fundamental tradeoff > > between attack surface and fixing this class of bug. As a concrete > > example, fixing this one added about 150 lines of code to our > > pre-authentication attack surface. In this case, we were willing to do > > this because we had confidence in the additional parsing, mostly because > > it's been reviewed several times and we've conducted a decent amount of > > fuzzing on it. But, given the choice between leaving a known account > > validity oracle or exposing something we don't trust, we'll choose the > > former every time. > > Can you summarize for us all (on these mailing lists) the commits > leading to OpenSSH 7.8 that deal with this issue and add "about 150 > lines of code", please? It's this one: > * sshd(8): avoid observable differences in request parsing that could > be used to determine whether a target user is valid. (Commit 74287f5df9) Note that there's no new code added, but delaying the checks means more code is exposed before the authentication handler bails out. -d _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
