On 22/07/15 21:41, Scott Neugroschl wrote:
I read an article today about keyboard interactive auth allowing bruteforcing.
I'm afraid I have minimal understanding of what keyboard-interactive really does. What does it do, and should I have my clients set it to off in sshd_config?
keyboard-interactive would ask the user for a password. You could be
doing something a bit different through PAM, but given your query, you
probably aren't, and both password and keyboard-interactive are
basically equivalent on your system.
Does it allow bruteforcing? Yes, they could attempt to your users
passwords. But they are using safe passwords, right?
My advise is:
* Disable password authentication for root (PermitRootLogin to no or
without-password). This is by far the most attacked account, annd the
one they can do most damage through.
* Do not allow users to simple passwords (at the very least, the
password must not contain the username).
* Ban ips after X failures (use a tool like fail2ban)
* Locking out account after X password failures may be an appropiate
measure, but largely depends on your setup (eg. How should the lock
expire or shall the unlock be manual? Can your clients call your
helpdesk and get unlocked?). This would be configured through pam.
Best regards
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev