RE: Keyboard Interactive Attack?

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Quoting Scott Neugroschl <scott_n@xxxxxxxxx>:

> 
> On Wednesday, July 22, 2015 4:32 PM, Ron Frederick wrote:
> 
> > You need to disable "ChallengeResponse" (aka keyboard-interactive)
> authentication, not password authentication, to protect against this
> attack.

While that will probably do it on most setups, to be absolutely certain, the
actual setting in sshd_config is: KbdInteractiveAuthentication

Per the sshd_config man page, if it's not explicitly set, it will copy the
setting of ChallengeResponseAuthentication, which defaults to "yes".

So Ron's advice will probably work for most people, but not for those where
they've set KbdInteractiveAuthentication to yes.

If each attempt triggers a password failure logging entry, people running IDS
or log-watching IP-ban daemons probably don't have any increased risk.

Keep in mind this is something that in some system configurations can gently
assist a remote password cracker, and isn't an "exploit".

Cheers,
=R=
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux