On Tue, 2003-08-05 at 06:54, Michael Schwendt wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Mon, 04 Aug 2003 22:22:16 -0600, Ashley M. Kirchner wrote: > > > While doing updates on my servers, I came across this one and I'm > > baffled. I always ssh into my primary server and then ssh to the > > others. I have them all setup to use keys, and normally it just logs in > > and records this in syslog. However, after rpm updated > > openssh/openssh-clients/openssh-server to 3.1p1-8 tonight, I'm noticing > > something odd. When I log in, I see this in the log file: > > > > PAM-warn[1306]: service: sshd [on terminal: NODEVssh] > > PAM-warn[1306]: user: (uid=0) -> root [remote: [EMAIL PROTECTED] > > sshd(pam_unix)[1306]: authentication failure; logname= uid=0 euid=0 > > tty=NODEVssh ruser= rhost=intra.pcraft.com user=root > > sshd(pam_unix)[1306]: session opened for user root by (uid=0) > > > > Notice how pam now says it failed authentication, yet it logged me > > in. Um, what's going on? > > See clarifying comment at end of > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=101157 >
I assume that you are referring to: <snip from bug comments> If the only solution to the information leak is to have this delay, then so be it. But it seems like this should definitely be a configuration option for those of us who aren't worried about this particular attack (the delay is very annoying). But the bogus authentication failure message is wrong in either case. As others have said, the cure is definitely worse than the disease. </snip from bug comments> The irritating thing is that this is CLOSED with a resolution of NOTABUG I just did this upgrade today on a couple of my internal machines and find this very irritating. As several commenters have done, you can back it out but what happens when there is a real bug that gets fixed later. Three are indeed two issues as the comments indicate. 1. It takes much longer to login I use dsa type 2 keys and it usually takes less than a second to get in now it takes closer to three seconds 2. erroneous log messages I understand a delay in th failing but for an authenticated login? And I am sorry, bogus log messages are not ok. I am about to try the openssh.org rpm since I don't see any discussion about this on the openssh developer or bug list. I am thinking this is a bad backport. Bret -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://www.redhat.com/mailman/listinfo/redhat-list
