Package: opernssh-server
Version: 6.7p1-5+deb8u2
When trying to connect to a host with an invalid username and that and the
"too many authentication failures" is hit, the hosts leaks whether the
username is valid or not.
for ex:
ssh badusr@X.X.X.X
Received disconnect from X.X.X.X port 22:2: Too many authentication
failures for invalid user badusr from Y.Y.Y.Y port 47706 ssh2
Connection to X.X.X.X closed by remote host.
Connection to X.X.X.Xclosed.
the probleme is in auth_maxtries_exceeded (auth.c:331) :
auth_maxtries_exceeded(Authctxt *authctxt)
{
packet_disconnect("Too many authentication failures for "
"%s%.100s from %.200s port %d %s",
authctxt->valid ? "" : "invalid user ",
authctxt->user,
get_remote_ipaddr(),
get_remote_port(),
compat20 ? "ssh2" : "ssh1");
/* NOTREACHED */
}
it seems to have been fixed in a later release of openssh
https://github.com/openssh/openssh-portable/commit/6f621603f9cff2a5d6016a404c96cb2f8ac2dec0
--
- Unix is fundamentally a simple system, but you have to be a genius to
understand its simplicity.
- Do not seek death, death will ultimately find you. Seek the road that
makes death a fulfilment.
