<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body><p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;"><span style="color:#fcfcfc;"><span style="background-color:#07180e;"><span style="font-family:Noto Sans;">Package: systemd-homed </span></span></span></p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;"><span style="color:#fcfcfc;"><span style="background-color:#07180e;">Version: 257.8-1~deb13u2 </span></span></p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;"><span style="color:#fcfcfc;"><span style="background-color:#07180e;">Severity: grave </span></span></p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;"><span style="color:#fcfcfc;"><span style="background-color:#07180e;">Justification: user security hole </span></span></p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;"><span style="color:#fcfcfc;"><span style="background-color:#07180e;"> </span></span></p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;"><span style="color:#fcfcfc;"><span style="background-color:#07180e;">Dear Maintainer, </span></span></p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;"><span style="color:#fcfcfc;"><span style="background-color:#07180e;"> </span></span></p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;"><span style="color:#fcfcfc;"><span style="background-color:#07180e;">Installed the package systemd-homed and then created a user with the command </span></span></p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;"><span style="color:#fcfcfc;"><span style="background-color:#07180e;">`homectl create testuser`. </span></span></p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;"><span style="color:#fcfcfc;"><span style="background-color:#07180e;"> </span></span></p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;"><span style="color:#fcfcfc;"><span style="background-color:#07180e;">It is possible to probe available users by measuring time of failed SSH logins. </span></span></p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;"><span style="color:#fcfcfc;"><span style="background-color:#07180e;">For unknown user, login attempts takes always below 5 seconds:</span></span></p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;"><span style="color:#fcfcfc;"><span style="background-color:#07180e;">```</span></span></p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;"><em><span style="color:#000000;">></span><span style="color:#96ffc2;"> time -p sshpass -p 'wrong_password' ssh someuser@IP</span></em></p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;"><span style="color:#fcfcfc;"><span style="background-color:#07180e;">Permission denied, please try again.</span></span></p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;"><span style="color:#fcfcfc;"><span style="background-color:#07180e;">real 1.63</span></span></p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;"><span style="color:#fcfcfc;"><span style="background-color:#07180e;">user 0.00</span></span></p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;"><span style="color:#fcfcfc;"><span style="background-color:#07180e;">sys 0.01</span></span></p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;"><span style="color:#fcfcfc;"><span style="background-color:#07180e;">```</span><br /></p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;"><span style="background-color:#07180e;">For known user, login attempts take always over 10 seconds: </span></span></p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;"><span style="color:#fcfcfc;"><span style="background-color:#07180e;">``` </span></span></p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;"><em><span style="color:#000000;">></span><span style="color:#96ffc2;"> time -p sshpass -p 'wrong_password' ssh testuser@IP </span></em></p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;"><span style="color:#fcfcfc;"><span style="background-color:#07180e;">Permission denied, please try again. </span></span></p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;"><span style="color:#fcfcfc;"><span style="background-color:#07180e;">real 14.64 </span></span></p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;"><span style="color:#fcfcfc;"><span style="background-color:#07180e;">user 0.01 </span></span></p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;"><span style="color:#fcfcfc;"><span style="background-color:#07180e;">sys 0.00 </span></span></p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;"><span style="color:#fcfcfc;"><span style="background-color:#07180e;">``` </span></span></p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;"><span style="color:#fcfcfc;"><span style="background-color:#07180e;"> </span></span></p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;"><span style="color:#fcfcfc;"><span style="background-color:#07180e;">Expected that login times are in similar range for both known and unknown users.</span></span></p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;"><span style="color:#fcfcfc;"><span style="background-color:#07180e;"> </span></span></p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;"><span style="color:#fcfcfc;"><span style="background-color:#07180e;">Best regards, </span></span></p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;"><span style="color:#fcfcfc;"><span style="background-color:#07180e;">Veiko Aasa </span></span></p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;"><span style="color:#fcfcfc;"><span style="background-color:#07180e;"> </span></span></p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;"><span style="color:#fcfcfc;"><span style="background-color:#07180e;"> </span></span></p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;"><span style="color:#fcfcfc;"><span style="background-color:#07180e;">-- System Information: </span></span></p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;"><span style="color:#fcfcfc;"><span style="background-color:#07180e;">Debian Release: 13.0 </span></span></p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;"><span style="color:#fcfcfc;"><span style="background-color:#07180e;"> APT prefers stable-updates </span></span></p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;"><span style="color:#fcfcfc;"><span style="background-color:#07180e;"> APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') </span></span></p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;"><span style="color:#fcfcfc;"><span style="background-color:#07180e;">Architecture: amd64 (x86_64) </span></span></p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;"><span style="color:#fcfcfc;"><span style="background-color:#07180e;"> </span></span></p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;"><span style="color:#fcfcfc;"><span style="background-color:#07180e;">Kernel: Linux 6.12.48+deb13-amd64 (SMP w/8 CPU threads; PREEMPT) </span></span></p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;"><span style="color:#fcfcfc;"><span style="background-color:#07180e;">Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set</span></span></p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;"><span style="color:#fcfcfc;"><span style="background-color:#07180e;">Shell: /bin/sh linked to /usr/bin/dash </span></span></p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;"><span style="color:#fcfcfc;"><span style="background-color:#07180e;">Init: systemd (via /run/systemd/system) </span></span></p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;"><span style="color:#fcfcfc;"><span style="background-color:#07180e;"> </span></span></p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;"><span style="color:#fcfcfc;"><span style="background-color:#07180e;">Versions of packages systemd-homed depends on:</span></span></p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;"><span style="color:#fcfcfc;"><span style="background-color:#07180e;">ii init-system-helpers 1.68 </span></span></p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;"><span style="color:#fcfcfc;"><span style="background-color:#07180e;">ii libblkid1 2.41-5 </span></span></p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;"><span style="color:#fcfcfc;"><span style="background-color:#07180e;">ii libc6 2.41-12 </span></span></p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;"><span style="color:#fcfcfc;"><span style="background-color:#07180e;">ii libcap2 1:2.75-10+b1 </span></span></p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;"><span style="color:#fcfcfc;"><span style="background-color:#07180e;">ii libfdisk1 2.41-5 </span></span></p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;"><span style="color:#fcfcfc;"><span style="background-color:#07180e;">ii libpam-runtime 1.7.0-5 </span></span></p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;"><span style="color:#fcfcfc;"><span style="background-color:#07180e;">ii libpam0g 1.7.0-5 </span></span></p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;"><span style="color:#fcfcfc;"><span style="background-color:#07180e;">ii libssl3t64 3.5.1-1 </span></span></p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;"><span style="color:#fcfcfc;"><span style="background-color:#07180e;">ii libsystemd-shared 257.8-1~deb13u2 </span></span></p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;"><span style="color:#fcfcfc;"><span style="background-color:#07180e;">ii polkitd 126-2 </span></span></p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;"><span style="color:#fcfcfc;"><span style="background-color:#07180e;">ii systemd 257.8-1~deb13u2</span></span></p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;"><span style="color:#fcfcfc;"><span style="background-color:#07180e;">ii systemd-userdbd 257.8-1~deb13u2 </span></span></p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;"><span style="color:#fcfcfc;"><span style="background-color:#07180e;"> </span></span></p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;"><span style="color:#fcfcfc;"><span style="background-color:#07180e;">systemd-homed recommends no packages.</span></span></p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;"><span style="color:#fcfcfc;"><span style="background-color:#07180e;"> </span></span></p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;"><span style="color:#fcfcfc;"><span style="background-color:#07180e;">Versions of packages systemd-homed suggests:</span></span></p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;"><span style="color:#fcfcfc;"><span style="background-color:#07180e;">ii libcryptsetup12 2:2.7.5-2</span></span></p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;"><span style="color:#fcfcfc;"><span style="background-color:#07180e;">ii libidn2-0 2.3.8-2</span></span></p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;"><span style="color:#fcfcfc;"><span style="background-color:#07180e;">ii libp11-kit0 0.25.5-3 </span></span></p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;"><span style="color:#fcfcfc;"><span style="background-color:#07180e;">pn libtss2-rc0t64 <none></span></span></p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;"><span style="color:#fcfcfc;"><span style="background-color:#07180e;"> </span></span></p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;"><span style="color:#fcfcfc;"><span style="background-color:#07180e;">-- no debconf information </span></span></p>
</body>
</html>