Yes, it appears to be a timing attack where invalid users are denied more quickl... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

jdwithit on Jan 3, 2017 | parent | context | favorite | on: Explore Hidden Networks with Double Pivoting

Yes, it appears to be a timing attack where invalid users are denied more quickly than valid users.

https://www.rapid7.com/db/modules/auxiliary/scanner/ssh/ssh_...

jeffmcjunkin on Jan 3, 2017 [–]

And to be clear, this is an issue that resurfaced in August or so of 2016, and is patched in supported OpenSSH daemons[0][1].

[0] https://access.redhat.com/security/cve/cve-2016-6210

[1] https://www.ubuntu.com/usn/usn-3061-1/

Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact