OpenSSH w/ PAM Multiple Timing Attack Weaknesses
Medium Nessus Plugin ID 11574
SynopsisIt is possible to enumerate valid users on the remote host.
DescriptionThe remote host seems to be running an SSH server that could allow an attacker to determine the existence of a given login by comparing the time the remote sshd daemon takes to refuse a bad password for a nonexistent login compared to the time it takes to refuse a bad password for a valid login.
An attacker could use this flaw to set up a brute-force attack against the remote host.
SolutionDisable PAM support if you do not use it, upgrade to the OpenSSH version 3.6.1p2 or later.