Keyboard Interactive Attack?
mancha
mancha1 at zoho.com
Thu Jul 23 09:03:28 AEST 2015
On Wed, Jul 22, 2015 at 07:41:54PM +0000, Scott Neugroschl wrote:
> I read an article today about keyboard interactive auth allowing
> bruteforcing.
>
> I'm afraid I have minimal understanding of what keyboard-interactive
> really does. What does it do, and should I have my clients set it to
> off in sshd_config?
Hi.
A bug in the keyboard-interactive codebase allows querying a
keyboard-interactive device more than once per auth request.
By sending a comma-delimited keyboard-interactive device list with
repeats (e.g. "pam, pam, pam, ..."), one can circumvent an OpenSSH
server's MaxAuthTries restriction.
That's the crux of the issue.
Attached patch fixes.
--mancha
-------------- next part --------------
From 5b64f85bb811246c59ebab70aed331f26ba37b18 Mon Sep 17 00:00:00 2001
From: "djm at openbsd.org" <djm at openbsd.org>
Date: Sat, 18 Jul 2015 07:57:14 +0000
Subject: [PATCH] upstream commit
Query each keyboard-interactive device only once per authentication
request regardless of how many times it is listed; ok markus@
Upstream-ID: d73fafba6e86030436ff673656ec1f33d9ffeda1
Reference-ID: 701a201481b751df5ed85b68de259637
---
auth2-chall.c | 11 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
--- a/auth2-chall.c
+++ b/auth2-chall.c
@@ -83,6 +83,7 @@ struct KbdintAuthctxt
void *ctxt;
KbdintDevice *device;
u_int nreq;
+ u_int devices_done;
};
#ifdef USE_PAM
@@ -169,11 +170,15 @@ kbdint_next_device(Authctxt *authctxt, KbdintAuthctxt *kbdintctxt)
if (len == 0)
break;
for (i = 0; devices[i]; i++) {
- if (!auth2_method_allowed(authctxt,
+ if ((kbdintctxt->devices_done & (1 << i)) != 0 ||
+ !auth2_method_allowed(authctxt,
"keyboard-interactive", devices[i]->name))
continue;
- if (strncmp(kbdintctxt->devices, devices[i]->name, len) == 0)
+ if (strncmp(kbdintctxt->devices, devices[i]->name,
+ len) == 0) {
kbdintctxt->device = devices[i];
+ kbdintctxt->devices_done |= 1 << i;
+ }
}
t = kbdintctxt->devices;
kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL;
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20150722/55048f74/attachment.bin>
More information about the openssh-unix-dev
mailing list