Keyboard Interactive Attack?

[Ron Frederick]

On Jul 22, 2015, at 4:27 PM, Scott Neugroschl <scott_n at xypro.com> wrote:
> On 22/07/15 13:56, Ángel González wrote:
>> On 22/07/15 21:41, Scott Neugroschl wrote:
>>> I read an article today about keyboard interactive auth allowing bruteforcing.
>>> 
>>> I'm afraid I have minimal understanding of what keyboard-interactive really does.  What does it do, and should I have my clients set it to off in sshd_config?
>> keyboard-interactive would ask the user for a password. You could be doing something a bit different through PAM, but given your query, you probably aren't, and >both password and keyboard-interactive are basically equivalent on your system.
> 
> What is the difference between password and keyboard-interactive?

They’re different methods for an SSH client & server to pass password information needed to authenticate the user. Keyboard-interactive can do any type of challenge/response (including multiple of them for a single authentication), and each challenge can display an arbitrary message and prompt. Password authentication, on the other hand, is much simpler, only allowing a single password challenge in most cases, with a fixed prompt. The only exception is if when the server wants to force the user to change their password.

In the case of this attack, it only applies to the newer keyboard-interactive authentication, as it relies on the client sending a list of “submethods” for what forms of authentication the server should attempt, specifying PAM authentication over and over. This information cannot be sent from the client when password authentication is requested.
-- 
Ron Frederick
ronf at timeheart.net