OpenSSH max auth tries issue
Brett Glass
brett at lariat.org
Tue Jul 21 03:04:49 UTC 2015
Because a potential intruder can establish multiple or "tag-teamed"
TCP sessions (possibly from different IPs) to the SSH server, a
per-session limit is barely useful and will not slow a determined
attacker. A global limit might, but would enable DoS attacks.
--Brett Glass
At 01:19 PM 7/17/2015, Mike Tancsa wrote:
>Not sure if others have seen this yet
>
>------------------
>
>
>https://kingcope.wordpress.com/2015/07/16/openssh-keyboard-interactive-authentication-brute-force-vulnerability-maxauthtries-bypass/
>
>"OpenSSH has a default value of six authentication tries before it will
>close the connection (the ssh client allows only three password entries
>per default).
>
>With this vulnerability an attacker is able to request as many password
>prompts limited by the “login graced time†setting, that is set to two
>minutes by default."
>
>
>--
>-------------------
>Mike Tancsa, tel +1 519 651 3400
>Sentex Communications, mike at sentex.net
>Providing Internet services since 1994 www.sentex.net
>Cambridge, Ontario Canada http://www.tancsa.com/
>_______________________________________________
>freebsd-security at freebsd.org mailing list
>http://lists.freebsd.org/mailman/listinfo/freebsd-security
>To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
More information about the freebsd-security
mailing list