The idea of enumeration, in my mind, seems to mean: emumerate all possibilities and filter out if some element is not valid. This results in an enumeration of all valid elements.
Some might interpret it to mean: enumerate only valid elements. This is equivalent. Consider the extreme case: if there are no valid usernames (i.e. fake SSH servers that disallow any username) then the method still enumerates all possibilities but never finds out any true username. Vacously, this enumerates all valid usernames.
Although this response is reasonable up to and including the first point, the second point is a little less convincing. The idea that it’s okay to be bad at security simply because someone else was bad at security is unfortunate at best.
The first point is - although not completly wrong - definitely debatable since these connections can be made simultaneously and aren’t blocking each other, which seems like they are trying to insinuate here.
I think there’s a distinction to be made between “bad at security” and “not actually a security boundary”. If you retroactively redefine public info to be a secret, it shouldn’t be surprising that everyone is “bad” at protecting it, or that someone might pushback and say not a bug.
I really appreciate that the misuse of “enumeration” is pointed out. See previous thread:
https://lobste.rs/s/ach1fc/openssh_username_enumeration#c_4gcwqw
The idea of enumeration, in my mind, seems to mean: emumerate all possibilities and filter out if some element is not valid. This results in an enumeration of all valid elements.
Some might interpret it to mean: enumerate only valid elements. This is equivalent. Consider the extreme case: if there are no valid usernames (i.e. fake SSH servers that disallow any username) then the method still enumerates all possibilities but never finds out any true username. Vacously, this enumerates all valid usernames.
Although this response is reasonable up to and including the first point, the second point is a little less convincing. The idea that it’s okay to be bad at security simply because someone else was bad at security is unfortunate at best.
The first point is - although not completly wrong - definitely debatable since these connections can be made simultaneously and aren’t blocking each other, which seems like they are trying to insinuate here.
I think there’s a distinction to be made between “bad at security” and “not actually a security boundary”. If you retroactively redefine public info to be a secret, it shouldn’t be surprising that everyone is “bad” at protecting it, or that someone might pushback and say not a bug.
And how and why is a username considered public information, they asked? https://lobste.rs/u
They mentioned the MaxStartups parameter, which does seem like it will cause connections to block.