On Wed, Jul 22, 2015 at 07:41:54PM +0000, Scott Neugroschl wrote: > I read an article today about keyboard interactive auth allowing > bruteforcing. > > I'm afraid I have minimal understanding of what keyboard-interactive > really does. What does it do, and should I have my clients set it to > off in sshd_config? Hi. A bug in the keyboard-interactive codebase allows querying a keyboard-interactive device more than once per auth request. By sending a comma-delimited keyboard-interactive device list with repeats (e.g. "pam, pam, pam, ..."), one can circumvent an OpenSSH server's MaxAuthTries restriction. That's the crux of the issue. Attached patch fixes. --mancha
From 5b64f85bb811246c59ebab70aed331f26ba37b18 Mon Sep 17 00:00:00 2001 From: "djm@xxxxxxxxxxx" <djm@xxxxxxxxxxx> Date: Sat, 18 Jul 2015 07:57:14 +0000 Subject: [PATCH] upstream commit Query each keyboard-interactive device only once per authentication request regardless of how many times it is listed; ok markus@ Upstream-ID: d73fafba6e86030436ff673656ec1f33d9ffeda1 Reference-ID: 701a201481b751df5ed85b68de259637 --- auth2-chall.c | 11 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) --- a/auth2-chall.c +++ b/auth2-chall.c @@ -83,6 +83,7 @@ struct KbdintAuthctxt void *ctxt; KbdintDevice *device; u_int nreq; + u_int devices_done; }; #ifdef USE_PAM @@ -169,11 +170,15 @@ kbdint_next_device(Authctxt *authctxt, KbdintAuthctxt *kbdintctxt) if (len == 0) break; for (i = 0; devices[i]; i++) { - if (!auth2_method_allowed(authctxt, + if ((kbdintctxt->devices_done & (1 << i)) != 0 || + !auth2_method_allowed(authctxt, "keyboard-interactive", devices[i]->name)) continue; - if (strncmp(kbdintctxt->devices, devices[i]->name, len) == 0) + if (strncmp(kbdintctxt->devices, devices[i]->name, + len) == 0) { kbdintctxt->device = devices[i]; + kbdintctxt->devices_done |= 1 << i; + } } t = kbdintctxt->devices; kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL;
Attachment:
pgps3_ltCiRJw.pgp
Description: PGP signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev