Date: Sun, 26 Aug 2001 01:29:22 -0400 From: James Snow <snow@teardrop.org> To: Harold Gutch <520066542279-0001@t-online.de> Cc: Matt Dillon <dillon@earth.backplane.com>, Alfred Perlstein <bright@mu.org>, freebsd-hackers@FreeBSD.ORG Subject: Re: ssh password cracker - now this *is* cool! Message-ID: <20010826012922.B79353@teardrop.org> In-Reply-To: <20010825223907.A44732@foobar.franken.de>; from 520066542279-0001@t-online.de on Sat, Aug 25, 2001 at 10:39:07PM %2B0200 References: <200108222330.f7MNUUj80882@earth.backplane.com> <20010822183807.T81307@elvis.mu.org> <200108222347.f7MNlF781161@earth.backplane.com> <20010825223907.A44732@foobar.franken.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Aug 25, 2001 at 10:39:07PM +0200, Harold Gutch wrote: > > :* Matt Dillon <dillon@earth.backplane.com> [010822 18:30] wrote: > > :> This gets an 'A' on my cool-o-meter. > > :> > > :> http://www.vnunet.com/News/1124839 > > Dug Song and Solar Designer held a talk on this topic at HAL 2001, > where they stated that backspaces could be detected, as a backspace > actually translated to <Cursorleft><Space><Cursorleft> thus sending > 3 characters at a time instead of only 1. Apologies if I'm interrupting an academic conversation, but.... Isn't this a non-issue in OpenSSH and thus any normal FreeBSD installs? I'm just looking at packet dumps, not source, but it looks to me like OpenSSH sends passwords all in one shot, not character by character. Also, it appears to pad the data out to 108 bytes, which I should think defends rather well against attacks geared towards gleaning password length. (So long as your password isn't over 108 bytes, I guess.) -Snow To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010826012922.B79353>