Keyboard Interactive Attack?

Ángel González keisial at gmail.com
Thu Jul 23 06:56:03 AEST 2015


On 22/07/15 21:41, Scott Neugroschl wrote:
> I read an article today about keyboard interactive auth allowing bruteforcing.
>
> I'm afraid I have minimal understanding of what keyboard-interactive really does.  What does it do, and should I have my clients set it to off in sshd_config?
keyboard-interactive would ask the user for a password. You could be 
doing something a bit different through PAM, but given your query, you 
probably aren't, and both password and keyboard-interactive are 
basically equivalent on your system.

Does it allow bruteforcing? Yes, they could attempt to your users 
passwords. But they are using safe passwords, right?

My advise is:
* Disable password authentication for root (PermitRootLogin to no or 
without-password). This is by far the most attacked account, annd the 
one they can do most damage through.

* Do not allow users to simple passwords (at the very least, the 
password must not contain the username).

* Ban ips after X failures (use a tool like fail2ban)

* Locking out account after X password failures may be an appropiate 
measure, but largely depends on your setup (eg. How should the lock 
expire or shall the unlock be manual? Can your clients call your 
helpdesk and get unlocked?). This would be configured through pam.

Best regards



More information about the openssh-unix-dev mailing list