Keyboard Interactive Attack?

Bostjan Skufca bostjan at a2o.si
Thu Jul 23 09:54:48 AEST 2015


Thanks for clarification.

One question though:
As far as I have tested openssh, it logs every unsuccessful
authentication attempt on the very moment it becomes unsuccessful, not
after the connection is closed (after timeout or when reaching max
auth attempts). Is this true or not even for this attack or not?

Because if it is true, if there is a IDS system that bans IP after X
failed logins, there should not be any problem. But if logging is
deferred for any reason, then IDS can not detect the attack in timely
manner.



b.


On 23 July 2015 at 01:03, mancha <mancha1 at zoho.com> wrote:
> On Wed, Jul 22, 2015 at 07:41:54PM +0000, Scott Neugroschl wrote:
>> I read an article today about keyboard interactive auth allowing
>> bruteforcing.
>>
>> I'm afraid I have minimal understanding of what keyboard-interactive
>> really does.  What does it do, and should I have my clients set it to
>> off in sshd_config?
>
> Hi.
>
> A bug in the keyboard-interactive codebase allows querying a
> keyboard-interactive device more than once per auth request.
>
> By sending a comma-delimited keyboard-interactive device list with
> repeats (e.g. "pam, pam, pam, ..."), one can circumvent an OpenSSH
> server's MaxAuthTries restriction.
>
> That's the crux of the issue.
>
> Attached patch fixes.
>
> --mancha
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>


More information about the openssh-unix-dev mailing list