Keyboard Interactive Attack?

Bostjan Skufca bostjan at a2o.si
Thu Jul 23 06:56:24 AEST 2015


And to answer your question about what to do, you have three options:
- disable access to ssh with a firewall
- disable password authentication
- install and enable IDS to mitigate brute forcing

b.


On 22 July 2015 at 22:54, Bostjan Skufca <bostjan at a2o.si> wrote:
> I just stumbled upon this story too (on /.), and as far as I
> understand it, it allows a bit simpler way to perform brute force
> attacks.
>
> If you go about bruteforcing ssh, does it really matter that much if
> you do it over one or 10 tcp connections?
>
> If you do not have IDS (Intrusion Detection System, fail2ban or ossec
> HIDS) installed and functioning, this bug does not matter all that
> much. Determined attacker has this covered, regardles of number of
> kbd-interactive attempts you allow per single connection.
>
> b.
>
> PS: Actually I tried the proof of concept + patch provided for ssh.
> Openssh, patched with this patch, does not even compile.
>
> On 22 July 2015 at 21:41, Scott Neugroschl <scott_n at xypro.com> wrote:
>> I read an article today about keyboard interactive auth allowing bruteforcing.
>>
>> I'm afraid I have minimal understanding of what keyboard-interactive really does.  What does it do, and should I have my clients set it to off in sshd_config?
>>
>>
>> ---
>> Scott Neugroschl | XYPRO Technology Corporation
>> 4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 583-2874|Fax 805 583-0124 |
>>
>> _______________________________________________
>> openssh-unix-dev mailing list
>> openssh-unix-dev at mindrot.org
>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


More information about the openssh-unix-dev mailing list