I just stumbled upon this story too (on /.), and as far as I understand it, it allows a bit simpler way to perform brute force attacks. If you go about bruteforcing ssh, does it really matter that much if you do it over one or 10 tcp connections? If you do not have IDS (Intrusion Detection System, fail2ban or ossec HIDS) installed and functioning, this bug does not matter all that much. Determined attacker has this covered, regardles of number of kbd-interactive attempts you allow per single connection. b. PS: Actually I tried the proof of concept + patch provided for ssh. Openssh, patched with this patch, does not even compile. On 22 July 2015 at 21:41, Scott Neugroschl <scott_n@xxxxxxxxx> wrote: > I read an article today about keyboard interactive auth allowing bruteforcing. > > I'm afraid I have minimal understanding of what keyboard-interactive really does. What does it do, and should I have my clients set it to off in sshd_config? > > > --- > Scott Neugroschl | XYPRO Technology Corporation > 4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 583-2874|Fax 805 583-0124 | > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev@xxxxxxxxxxx > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
