Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: OpenSSH: Bugs

[Bug 2026] New: OpenSSH client leaks username to server



OpenSSH bugs RSS feed   Index | Next | Previous | View Threaded

bugzilla-daemon at mindrot

Jul 19, 2012, 8:47 AM

Post #1 of 1 (192 views)
[Bug 2026] New: OpenSSH client leaks username to server


Priority: P5
Bug ID: 2026
Assignee: unassigned-bugs [at] mindrot
Summary: OpenSSH client leaks username to server
Severity: normal
Classification: Unclassified
OS: Linux
Reporter: longpoke [at] gmail
Hardware: Other
Status: NEW
Version: 5.9p1
Component: ssh
Product: Portable OpenSSH

Hash: SHA1

Title: OpenSSH client leaks username to server
Context: Some issue tracker that includes portable openssh

When connecting to an SSH server, OpenSSH will send your username as
the SSH username if you don't provide one explicitly. This is an
information leak.

Why is this bad?
Imagine Bill Gates is using linux to hack into apple.com. He was told
Linux is good, and he is planning on making the next release of windows
be an open source Linux distribution. He gets the root password for the
SSH server on apple.com. He tries to get on by running "ssh apple.com",
it fails for wrong password, then he realizes he forgot to set the
username so he runs "ssh root [at] apple". But now apple.com has a login
attempt in their logs for the account "billgates" (he was using a
botnet which is hardcoded in every Windows kernel, providing an
anonymity network to Bill Gates, so apple.com didn't get his IP
address). So after Bill Gates changed apple.com to show bad financial
reports and say that they're closing down (making them lose all their
investors/market share etc), Bill Gates gets arrested because of this
irrefutable evidence left in the log file. Now Bill Gates hates Linux
forever and will never make Windows be Linux based.
Version: GnuPG v2.0.19 (GNU/Linux)


You are receiving this mail because:
You are watching the assignee of the bug.
openssh-bugs mailing list
openssh-bugs [at] mindrot

OpenSSH bugs RSS feed   Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.