Keyboard Interactive Attack?

Malcolm opensshdev at r.paypc.com
Thu Jul 23 10:22:12 AEST 2015


Quoting Scott Neugroschl <scott_n at xypro.com>:

> 
> On Wednesday, July 22, 2015 4:32 PM, Ron Frederick wrote:
> 
> > You need to disable "ChallengeResponse" (aka keyboard-interactive)
> authentication, not password authentication, to protect against this
> attack.

While that will probably do it on most setups, to be absolutely certain, the
actual setting in sshd_config is: KbdInteractiveAuthentication

Per the sshd_config man page, if it's not explicitly set, it will copy the
setting of ChallengeResponseAuthentication, which defaults to "yes".

So Ron's advice will probably work for most people, but not for those where
they've set KbdInteractiveAuthentication to yes.

If each attempt triggers a password failure logging entry, people running IDS
or log-watching IP-ban daemons probably don't have any increased risk.

Keep in mind this is something that in some system configurations can gently
assist a remote password cracker, and isn't an "exploit".

Cheers,
=R=


More information about the openssh-unix-dev mailing list