Bug#1117704: systemd-homed: Possible user enumeration via response timing of login attempts

Veiko Aasa veiko17 at disroot.org
Fri Oct 10 04:14:17 BST 2025 

Package: systemd-homed 
Version: 257.8-1~deb13u2                     
Severity: grave                
Justification: user security hole 
                                                           
Dear Maintainer,            

I installed the package systemd-homed and then created a user using the command 
`homectl create testuser`. 
                                                           
It is possible to probe available users by measuring time of failed SSH logins.                                                                                                                                                              
For unknown user, login attempts takes always below 5 seconds: 
``` 
> time -p  sshpass -p 'wrong_password' ssh someuser at IP 
Permission denied, please try again. 
real 1.63 
user 0.00 
sys 0.01
For known user, login attempts take always over 10 seconds:  
``` 
> time -p  sshpass -p 'wrong_password' ssh testuser at IP 
Permission denied, please try again. 
real 14.64 
user 0.01 
sys 0.00 
``` 
Expected that login times are in similar range for both known and unknown users. 
Best regards, 
Veiko Aasa 

-- System Information: 
Debian Release: 13.0 
 APT prefers stable-updates 
 APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') 
Architecture: amd64 (x86_64) 
Kernel: Linux 6.12.48+deb13-amd64 (SMP w/8 CPU threads; PREEMPT) 
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set 
Shell: /bin/sh linked to /usr/bin/dash 
Init: systemd (via /run/systemd/system) 
Versions of packages systemd-homed depends on: 
ii  init-system-helpers  1.68 
ii  libblkid1            2.41-5 
ii  libc6                2.41-12 
ii  libcap2              1:2.75-10+b1 
ii  libfdisk1            2.41-5 
ii  libpam-runtime       1.7.0-5 
ii  libpam0g             1.7.0-5 
ii  libssl3t64           3.5.1-1 
ii  libsystemd-shared    257.8-1~deb13u2 
ii  polkitd              126-2 
ii  systemd              257.8-1~deb13u2 
ii  systemd-userdbd      257.8-1~deb13u2 
systemd-homed recommends no packages. 
Versions of packages systemd-homed suggests: 
ii  libcryptsetup12  2:2.7.5-2 
ii  libidn2-0        2.3.8-2 
ii  libp11-kit0      0.25.5-3 
pn  libtss2-rc0t64   <none> 
-- no debconf information 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20251010/95f124a5/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part.
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20251010/95f124a5/attachment-0001.sig>

More information about the Pkg-systemd-maintainers mailing list