[H-GEN] Just been checking /var/log/secure on my home computer ...
Greg Black
gjb at gbch.net
Wed Sep 14 21:51:42 EDT 2005
On 2005-09-15, David Jericho wrote:
> Ewan Edwards wrote:
>> My query is to do with what is sent back to the connecting client, eg:
>> Is there a way the connecting client (attacker) can determine if the
>> user ID being used is 'illegal' or 'not allowed' on the box being
>> attacked?
>
> On many default SSHD/PAM setups, yes, it's possible to see. Wrong
> passwords will give a pause, illegal users will return immediately
> asking for the password.
And the way to see what the connecting client gets is to just
try the same logins they try.
Here's an example of an attempt to login to a non-existent
account on one of my boxes:
$ ssh foo at localhost
Password:
Password:
Password:
Permission denied (publickey,keyboard-interactive).
This box gives identical output for an attempt to login as a real
but disallowed user.
Useful details in this case are:
$ uname -srm
FreeBSD 5.4-RELEASE i386
$ ssh -V
OpenSSH_3.8.1p1 FreeBSD-20040419, OpenSSL 0.9.7e 25 Oct 2004
Cheers, Greg
More information about the General
mailing list