Question regarding this from a non-guru:
- Is it correct that this only works for user root if login with password/key for root is allowed?
- Is it correct, that this only works if the attacker knows a login name valid for ssh?
I believe knowing existing user name or using host-depended value does not matter.
The exploit tries to interrupt handlers that are being run due to login grace period timing out - so we are already at a point where authentication workflow has ended without passing all the credentials.
Plus, in the "Practice" section, they discuss using user name value as a way to manipulate memory at a certain address, so they want/need to control this value.
