And to answer your question about what to do, you have three options: - disable access to ssh with a firewall - disable password authentication - install and enable IDS to mitigate brute forcing b. On 22 July 2015 at 22:54, Bostjan Skufca <bostjan@xxxxxx> wrote: > I just stumbled upon this story too (on /.), and as far as I > understand it, it allows a bit simpler way to perform brute force > attacks. > > If you go about bruteforcing ssh, does it really matter that much if > you do it over one or 10 tcp connections? > > If you do not have IDS (Intrusion Detection System, fail2ban or ossec > HIDS) installed and functioning, this bug does not matter all that > much. Determined attacker has this covered, regardles of number of > kbd-interactive attempts you allow per single connection. > > b. > > PS: Actually I tried the proof of concept + patch provided for ssh. > Openssh, patched with this patch, does not even compile. > > On 22 July 2015 at 21:41, Scott Neugroschl <scott_n@xxxxxxxxx> wrote: >> I read an article today about keyboard interactive auth allowing bruteforcing. >> >> I'm afraid I have minimal understanding of what keyboard-interactive really does. What does it do, and should I have my clients set it to off in sshd_config? >> >> >> --- >> Scott Neugroschl | XYPRO Technology Corporation >> 4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 583-2874|Fax 805 583-0124 | >> >> _______________________________________________ >> openssh-unix-dev mailing list >> openssh-unix-dev@xxxxxxxxxxx >> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
