Mailing List Archive

[Bug 2026] New: OpenSSH client leaks username to server

Priority: P5
Bug ID: 2026
Summary: OpenSSH client leaks username to server
Severity: normal
Classification: Unclassified
OS: Linux
Hardware: Other
Status: NEW
Version: 5.9p1
Component: ssh
Product: Portable OpenSSH

Hash: SHA1

Title: OpenSSH client leaks username to server
Context: Some issue tracker that includes portable openssh

When connecting to an SSH server, OpenSSH will send your username as
the SSH username if you don't provide one explicitly. This is an
information leak.

Why is this bad?
Imagine Bill Gates is using linux to hack into He was told
Linux is good, and he is planning on making the next release of windows
be an open source Linux distribution. He gets the root password for the
SSH server on He tries to get on by running "ssh",
it fails for wrong password, then he realizes he forgot to set the
username so he runs "ssh". But now has a login
attempt in their logs for the account "billgates" (he was using a
botnet which is hardcoded in every Windows kernel, providing an
anonymity network to Bill Gates, so didn't get his IP
address). So after Bill Gates changed to show bad financial
reports and say that they're closing down (making them lose all their
investors/market share etc), Bill Gates gets arrested because of this
irrefutable evidence left in the log file. Now Bill Gates hates Linux
forever and will never make Windows be Linux based.
Version: GnuPG v2.0.19 (GNU/Linux)


You are receiving this mail because:
You are watching the assignee of the bug.
openssh-bugs mailing list