Keyboard Interactive Attack?
Bostjan Skufca
bostjan at a2o.si
Thu Jul 23 06:54:25 AEST 2015
I just stumbled upon this story too (on /.), and as far as I
understand it, it allows a bit simpler way to perform brute force
attacks.
If you go about bruteforcing ssh, does it really matter that much if
you do it over one or 10 tcp connections?
If you do not have IDS (Intrusion Detection System, fail2ban or ossec
HIDS) installed and functioning, this bug does not matter all that
much. Determined attacker has this covered, regardles of number of
kbd-interactive attempts you allow per single connection.
b.
PS: Actually I tried the proof of concept + patch provided for ssh.
Openssh, patched with this patch, does not even compile.
On 22 July 2015 at 21:41, Scott Neugroschl <scott_n at xypro.com> wrote:
> I read an article today about keyboard interactive auth allowing bruteforcing.
>
> I'm afraid I have minimal understanding of what keyboard-interactive really does. What does it do, and should I have my clients set it to off in sshd_config?
>
>
> ---
> Scott Neugroschl | XYPRO Technology Corporation
> 4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 583-2874|Fax 805 583-0124 |
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
More information about the openssh-unix-dev
mailing list