Re: Keyboard Interactive Attack?

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Wed, Jul 22, 2015 at 07:41:54PM +0000, Scott Neugroschl wrote:
> I read an article today about keyboard interactive auth allowing
> bruteforcing.
> 
> I'm afraid I have minimal understanding of what keyboard-interactive
> really does.  What does it do, and should I have my clients set it to
> off in sshd_config?

Hi.

A bug in the keyboard-interactive codebase allows querying a
keyboard-interactive device more than once per auth request.

By sending a comma-delimited keyboard-interactive device list with
repeats (e.g. "pam, pam, pam, ..."), one can circumvent an OpenSSH
server's MaxAuthTries restriction.

That's the crux of the issue.

Attached patch fixes. 

--mancha
From 5b64f85bb811246c59ebab70aed331f26ba37b18 Mon Sep 17 00:00:00 2001
From: "djm@xxxxxxxxxxx" <djm@xxxxxxxxxxx>
Date: Sat, 18 Jul 2015 07:57:14 +0000
Subject: [PATCH] upstream commit

Query each keyboard-interactive device only once per authentication
request regardless of how many times it is listed; ok markus@

Upstream-ID:  d73fafba6e86030436ff673656ec1f33d9ffeda1
Reference-ID: 701a201481b751df5ed85b68de259637

---
 auth2-chall.c | 11 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

--- a/auth2-chall.c
+++ b/auth2-chall.c
@@ -83,6 +83,7 @@ struct KbdintAuthctxt
 	void *ctxt;
 	KbdintDevice *device;
 	u_int nreq;
+	u_int devices_done;
 };
 
 #ifdef USE_PAM
@@ -169,11 +170,15 @@ kbdint_next_device(Authctxt *authctxt, KbdintAuthctxt *kbdintctxt)
 		if (len == 0)
 			break;
 		for (i = 0; devices[i]; i++) {
-			if (!auth2_method_allowed(authctxt,
+			if ((kbdintctxt->devices_done & (1 << i)) != 0 ||
+			    !auth2_method_allowed(authctxt,
 			    "keyboard-interactive", devices[i]->name))
 				continue;
-			if (strncmp(kbdintctxt->devices, devices[i]->name, len) == 0)
+			if (strncmp(kbdintctxt->devices, devices[i]->name,
+			    len) == 0) {
 				kbdintctxt->device = devices[i];
+				kbdintctxt->devices_done |= 1 << i;
+			}
 		}
 		t = kbdintctxt->devices;
 		kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL;

Attachment: pgps3_ltCiRJw.pgp
Description: PGP signature

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux