2008/7/8, Ben Ford <ben@xxxxxxxxxxxxxx>: > No. He's saying that it leaks information that doesn't need to be leaked. > > For comparison, long long ago, there used to be different error messages > when authentication failed. It would helpfully tell you that your password > was wrong, or that you'd supplied the wrong username. Great for debugging, > right? Well yeah ... and it was great for enumerating the users on the box, > making further attacks much simpler. How about leaving what ssh server sends to the client as it is but making it at least log in syslog that the key was not found? VL
