Commit
43616c8731a48eff82ca79506d41e2b1e3f90baf
by Andreas WacknitzOpenSSH: fix CVE-2018-15473 (username enumeration)
Fix from OpenSSH 7.8p1 (https://www.openssh.com/releasenotes.html):
```
* sshd(8): add some countermeasures against timing attacks used for
account validation/enumeration. sshd will enforce a minimum time
or each failed authentication attempt consisting of a global 5ms
minimum plus an additional per-user 0-4ms delay derived from a
host secret.
```
Debian patch:
https://sources.debian.org/patches/openssh/1:7.4p1-10+deb9u4/upstream-delay-bailout-for-invalid-authenticating-user.patch/
**Testing (exploit: https://www.exploit-db.com/exploits/45210/)**
Affected:
```
$ python 45210.py 192.168.1.12 root
[+] Valid username
$ python 45210.py 192.168.1.12 thisisinvalid
[*] Invalid username
```
Fixed:
```
$ python 45210.py 192.168.1.181 root
[+] Valid username
$ python 45210.py 192.168.1.181 thisisinvalid
[+] Valid username
```
(commit: 43616c8)
![[Jenkins]](/jenkins/static/b7ed4e7a/images/svgs/logo.svg){kind=logo}
