Bug#1117705: systemd-homed: Possible user enumeration via response timing of login attempts

Veiko Aasa veiko17 at disroot.org
Fri Oct 10 04:19:55 BST 2025 

Package: systemd-homed                                     
Version: 257.8-1~deb13u2                    
Severity: grave               
Justification: user security hole                                                                                     
                                                           
Dear Maintainer,                                           
                                                                                                                                                                                                                                            
Installed the package systemd-homed and then created a user with the command                                          
`homectl create testuser`.                                 
                                                           
It is possible to probe available users by measuring time of failed SSH logins.                                                                                                                                                             
For unknown user, login attempts takes always below 5 seconds:
```
/> time -p  sshpass -p 'wrong_password' ssh someuser at IP/
Permission denied, please try again.
real 1.63
user 0.00
sys 0.01
```

For known user, login attempts take always over 10 seconds: 
```                                                                                                                   
/> time -p  sshpass -p 'wrong_password' ssh testuser at IP                                                                /
Permission denied, please try again.                                                                                  
real 14.64                                                                                                            
user 0.01                                                                                                             
sys 0.00                                                                                                              
```                                                       
                                                           
Expected that login times are in similar range for both known and unknown users.
                                                           
Best regards,                                             
Veiko Aasa                                   
                                                           
                                                           
-- System Information:                                                                                                
Debian Release: 13.0                                                                                                  
  APT prefers stable-updates                                                                                          
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')                                      
Architecture: amd64 (x86_64)                                                                                          
                                                                                                                      
Kernel: Linux 6.12.48+deb13-amd64 (SMP w/8 CPU threads; PREEMPT)         
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash                     
Init: systemd (via /run/systemd/system)                    
                                                           
Versions of packages systemd-homed depends on:
ii  init-system-helpers  1.68 
ii  libblkid1            2.41-5                                                                                       
ii  libc6                2.41-12                           
ii  libcap2              1:2.75-10+b1                      
ii  libfdisk1            2.41-5                                                                                                                                                                                                             
ii  libpam-runtime       1.7.0-5                                                                                      
ii  libpam0g             1.7.0-5                           
ii  libssl3t64           3.5.1-1                           
ii  libsystemd-shared    257.8-1~deb13u2                                                                                                                                                                                                    
ii  polkitd              126-2                                                                                        
ii  systemd              257.8-1~deb13u2
ii  systemd-userdbd      257.8-1~deb13u2              
                                                           
systemd-homed recommends no packages.
                                                           
Versions of packages systemd-homed suggests:
ii  libcryptsetup12  2:2.7.5-2
ii  libidn2-0        2.3.8-2
ii  libp11-kit0      0.25.5-3                                                                                         
pn  libtss2-rc0t64   <none>
                                                           
-- no debconf information 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20251010/7e176f42/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part.
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20251010/7e176f42/attachment-0001.sig>

More information about the Pkg-systemd-maintainers mailing list