Hi, Ssh in OpenBSD 6.3 (stable), and I presume 6.2, is vulnerable to username existance checking by remote systems.
OpenBSD current has a patch. https://github.com/openbsd/src/commit/779974d35b4859c07bc3cb8a12c74b43b0a7d1e0 Demonstration code is found here: https://bugfuzz.com/stuff/ssh-check-username.py Those not familiar with Python can follow these steps to confirm vulnerability existance: # Python version 2.7 may have a different name on your system. virtualenv -p python2.7 sshenum_venv ./sshenum_venv/bin/pip install paramiko ./sshenum_venv/bin/python ssh-check-username.py host.example.com testuser More information can be found in the attached emails previously sent to secur...@openbsd.org. Regards, Karl <k...@meme.com> Free Software: "You don't pay back, you pay forward." -- Robert A. Heinlein
CVE-2018-15473 OpenSSH through 7.7 is prone to a user enumeration vulnerability
Description: Binary data
Re: CVE-2018-15473 OpenSSH through 7.7 is prone to a user enumeration vulnerability
Description: Binary data
