Thanks for clarification. One question though: As far as I have tested openssh, it logs every unsuccessful authentication attempt on the very moment it becomes unsuccessful, not after the connection is closed (after timeout or when reaching max auth attempts). Is this true or not even for this attack or not? Because if it is true, if there is a IDS system that bans IP after X failed logins, there should not be any problem. But if logging is deferred for any reason, then IDS can not detect the attack in timely manner. b. On 23 July 2015 at 01:03, mancha <mancha1@xxxxxxxx> wrote: > On Wed, Jul 22, 2015 at 07:41:54PM +0000, Scott Neugroschl wrote: >> I read an article today about keyboard interactive auth allowing >> bruteforcing. >> >> I'm afraid I have minimal understanding of what keyboard-interactive >> really does. What does it do, and should I have my clients set it to >> off in sshd_config? > > Hi. > > A bug in the keyboard-interactive codebase allows querying a > keyboard-interactive device more than once per auth request. > > By sending a comma-delimited keyboard-interactive device list with > repeats (e.g. "pam, pam, pam, ..."), one can circumvent an OpenSSH > server's MaxAuthTries restriction. > > That's the crux of the issue. > > Attached patch fixes. > > --mancha > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev@xxxxxxxxxxx > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
