<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body><p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;"><span style="font-family:Noto Sans;"><span style="color:#000000;"><span style="background-color:#ffffff;">Package: systemd-homed </span></span><br /><span style="color:#000000;"><span style="background-color:#ffffff;">Version: 257.8-1~deb13u2                     </span></span><br /><span style="color:#000000;"><span style="background-color:#ffffff;">Severity: grave                </span></span><br /><span style="color:#000000;"><span style="background-color:#ffffff;">Justification: user security hole </span></span><br /><span style="color:#000000;"><span style="background-color:#ffffff;">                                                           </span></span><br /><span style="color:#000000;"><span style="background-color:#ffffff;">Dear Maintainer,            </span></span><br /><br />I i<span style="color:#000000;"><span style="background-color:#ffffff;">nstalled the package systemd-homed and then created a user using the command </span></span><br /><span style="color:#000000;"><span style="background-color:#ffffff;">`homectl create testuser`. </span></span><br /><span style="color:#000000;"><span style="background-color:#ffffff;">                                                           </span></span><br /><span style="color:#000000;"><span style="background-color:#ffffff;">It is possible to probe available users by measuring time of failed SSH logins.                                                                                                                                                              </span></span><br /><span style="color:#000000;"><span style="background-color:#ffffff;">For unknown user, login attempts takes always below 5 seconds: </span></span><br /><span style="color:#000000;"><span style="background-color:#ffffff;">``` </span></span><br /><span style="color:#000000;"><span style="background-color:#ffffff;">> time -p  sshpass -p 'wrong_password' ssh someuser@IP </span></span><br /><span style="color:#000000;"><span style="background-color:#ffffff;">Permission denied, please try again. </span></span><br /><span style="color:#000000;"><span style="background-color:#ffffff;">real 1.63 </span></span><br /><span style="color:#000000;"><span style="background-color:#ffffff;">user 0.00 </span></span><br /><span style="color:#000000;"><span style="background-color:#ffffff;">sys 0.01</span></span><br /><span style="color:#000000;"><span style="background-color:#ffffff;">For known user, login attempts take always over 10 seconds:  </span></span><br /><span style="color:#000000;"><span style="background-color:#ffffff;">``` </span></span><br /><span style="color:#000000;"><span style="background-color:#ffffff;">> time -p  sshpass -p 'wrong_password' ssh testuser@IP </span></span><br /><span style="color:#000000;"><span style="background-color:#ffffff;">Permission denied, please try again. </span></span><br /><span style="color:#000000;"><span style="background-color:#ffffff;">real 14.64 </span></span><br /><span style="color:#000000;"><span style="background-color:#ffffff;">user 0.01 </span></span><br /><span style="color:#000000;"><span style="background-color:#ffffff;">sys 0.00 </span></span><br /><span style="color:#000000;"><span style="background-color:#ffffff;">``` </span></span><br /><span style="color:#000000;"><span style="background-color:#ffffff;">Expected that login times are in similar range for both known and unknown users. </span></span><br /><span style="color:#000000;"><span style="background-color:#ffffff;">Best regards, </span></span><br /><span style="color:#000000;"><span style="background-color:#ffffff;">Veiko Aasa </span></span><br /><br /><span style="color:#000000;"><span style="background-color:#ffffff;">-- System Information: </span></span><br /><span style="color:#000000;"><span style="background-color:#ffffff;">Debian Release: 13.0 </span></span><br /><span style="color:#000000;"><span style="background-color:#ffffff;"> APT prefers stable-updates </span></span><br /><span style="color:#000000;"><span style="background-color:#ffffff;"> APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') </span></span><br /><span style="color:#000000;"><span style="background-color:#ffffff;">Architecture: amd64 (x86_64) </span></span><br /><span style="color:#000000;"><span style="background-color:#ffffff;">Kernel: Linux 6.12.48+deb13-amd64 (SMP w/8 CPU threads; PREEMPT) </span></span><br /><span style="color:#000000;"><span style="background-color:#ffffff;">Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set </span></span><br /><span style="color:#000000;"><span style="background-color:#ffffff;">Shell: /bin/sh linked to /usr/bin/dash </span></span><br /><span style="color:#000000;"><span style="background-color:#ffffff;">Init: systemd (via /run/systemd/system) </span></span><br /><span style="color:#000000;"><span style="background-color:#ffffff;">Versions of packages systemd-homed depends on: </span></span><br /><span style="color:#000000;"><span style="background-color:#ffffff;">ii  init-system-helpers  1.68 </span></span><br /><span style="color:#000000;"><span style="background-color:#ffffff;">ii  libblkid1            2.41-5 </span></span><br /><span style="color:#000000;"><span style="background-color:#ffffff;">ii  libc6                2.41-12 </span></span><br /><span style="color:#000000;"><span style="background-color:#ffffff;">ii  libcap2              1:2.75-10+b1 </span></span><br /><span style="color:#000000;"><span style="background-color:#ffffff;">ii  libfdisk1            2.41-5 </span></span><br /><span style="color:#000000;"><span style="background-color:#ffffff;">ii  libpam-runtime       1.7.0-5 </span></span><br /><span style="color:#000000;"><span style="background-color:#ffffff;">ii  libpam0g             1.7.0-5 </span></span><br /><span style="color:#000000;"><span style="background-color:#ffffff;">ii  libssl3t64           3.5.1-1 </span></span><br /><span style="color:#000000;"><span style="background-color:#ffffff;">ii  libsystemd-shared    257.8-1~deb13u2 </span></span><br /><span style="color:#000000;"><span style="background-color:#ffffff;">ii  polkitd              126-2 </span></span><br /><span style="color:#000000;"><span style="background-color:#ffffff;">ii  systemd              257.8-1~deb13u2 </span></span><br /><span style="color:#000000;"><span style="background-color:#ffffff;">ii  systemd-userdbd      257.8-1~deb13u2 </span></span><br /><span style="color:#000000;"><span style="background-color:#ffffff;">systemd-homed recommends no packages. </span></span><br /><span style="color:#000000;"><span style="background-color:#ffffff;">Versions of packages systemd-homed suggests: </span></span><br /><span style="color:#000000;"><span style="background-color:#ffffff;">ii  libcryptsetup12  2:2.7.5-2 </span></span><br /><span style="color:#000000;"><span style="background-color:#ffffff;">ii  libidn2-0        2.3.8-2 </span></span><br /><span style="color:#000000;"><span style="background-color:#ffffff;">ii  libp11-kit0      0.25.5-3 </span></span><br /><span style="color:#000000;"><span style="background-color:#ffffff;">pn  libtss2-rc0t64   <none> </span></span><br /><span style="color:#000000;"><span style="background-color:#ffffff;">-- no debconf information </span></span><br /><br /></p>
</body>
</html>