OpenSSH S/KEY Authentication Account Enumeration
Medium Nessus Plugin ID 17704
SynopsisThe remote host is affected by an information disclosure vulnerability.
DescriptionWhen OpenSSH has S/KEY authentication enabled, it is possible to remotely determine if an account configured for S/KEY authentication exists.
Note that Nessus has not attempted to exploit the issue but has instead only checked if OpenSSH is running on the remote host. As a result, it will not detect if the remote host has implemented a workaround.
SolutionA patch currently does not exist for this issue. As a workaround, either set 'ChallengeResponseAuthentication' in the OpenSSH config to 'no' or use a version of OpenSSH without S/KEY support compiled in.