Keyboard Interactive Attack?

Ron Frederick ronf at timeheart.net
Thu Jul 23 09:31:35 AEST 2015


You need to disable “ChallengeResponse” (aka keyboard-interactive) authentication, not password authentication, to protect against this attack.

On Jul 22, 2015, at 1:56 PM, Bostjan Skufca <bostjan at a2o.si> wrote:
> 
> And to answer your question about what to do, you have three options:
> - disable access to ssh with a firewall
> - disable password authentication
> - install and enable IDS to mitigate brute forcing
> 
> b.
> 
> 
> On 22 July 2015 at 22:54, Bostjan Skufca <bostjan at a2o.si> wrote:
>> I just stumbled upon this story too (on /.), and as far as I
>> understand it, it allows a bit simpler way to perform brute force
>> attacks.
>> 
>> If you go about bruteforcing ssh, does it really matter that much if
>> you do it over one or 10 tcp connections?
>> 
>> If you do not have IDS (Intrusion Detection System, fail2ban or ossec
>> HIDS) installed and functioning, this bug does not matter all that
>> much. Determined attacker has this covered, regardles of number of
>> kbd-interactive attempts you allow per single connection.
>> 
>> b.
>> 
>> PS: Actually I tried the proof of concept + patch provided for ssh.
>> Openssh, patched with this patch, does not even compile.
>> 
>> On 22 July 2015 at 21:41, Scott Neugroschl <scott_n at xypro.com> wrote:
>>> I read an article today about keyboard interactive auth allowing bruteforcing.
>>> 
>>> I'm afraid I have minimal understanding of what keyboard-interactive really does.  What does it do, and should I have my clients set it to off in sshd_config?
>>> 
>>> 
>>> ---
>>> Scott Neugroschl | XYPRO Technology Corporation
>>> 4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 583-2874|Fax 805 583-0124 |

-- 
Ron Frederick
ronf at timeheart.net





More information about the openssh-unix-dev mailing list