OpenSSH max auth tries issue
Mark Felder
feld at FreeBSD.org
Sat Jul 18 23:10:18 UTC 2015
On Fri, Jul 17, 2015, at 14:19, Mike Tancsa wrote:
> Not sure if others have seen this yet
>
> ------------------
>
>
> https://kingcope.wordpress.com/2015/07/16/openssh-keyboard-interactive-authentication-brute-force-vulnerability-maxauthtries-bypass/
>
> "OpenSSH has a default value of six authentication tries before it will
> close the connection (the ssh client allows only three password entries
> per default).
>
> With this vulnerability an attacker is able to request as many password
> prompts limited by the “login graced time” setting, that is set to two
> minutes by default."
>
>
Does it produce multiple entries in the server logs? I'm curious if
sshguard etc would detect this. If I understand what's going on, this
might appear as if it's a single "session" and be able to bypass pf
overload rules. I'll have to play around with it and see what it does.
More information about the freebsd-security
mailing list