Quoting Scott Neugroschl <scott_n@xxxxxxxxx>: > > On Wednesday, July 22, 2015 4:32 PM, Ron Frederick wrote: > > > You need to disable "ChallengeResponse" (aka keyboard-interactive) > authentication, not password authentication, to protect against this > attack. While that will probably do it on most setups, to be absolutely certain, the actual setting in sshd_config is: KbdInteractiveAuthentication Per the sshd_config man page, if it's not explicitly set, it will copy the setting of ChallengeResponseAuthentication, which defaults to "yes". So Ron's advice will probably work for most people, but not for those where they've set KbdInteractiveAuthentication to yes. If each attempt triggers a password failure logging entry, people running IDS or log-watching IP-ban daemons probably don't have any increased risk. Keep in mind this is something that in some system configurations can gently assist a remote password cracker, and isn't an "exploit". Cheers, =R= _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
