OpenSSH max auth tries issue

Mike Tancsa mike at sentex.net
Thu Jul 23 14:22:26 UTC 2015


On 7/17/2015 3:19 PM, Mike Tancsa wrote:
> ------------------
> https://kingcope.wordpress.com/2015/07/16/openssh-keyboard-interactive-authentication-brute-force-vulnerability-maxauthtries-bypass/
> With this vulnerability an attacker is able to request as many password
> prompts limited by the “login graced time” setting, that is set to two
> minutes by default."
> 
> 

There is a patch in the OpenSSH tree to mitigate this. Any chance on
bringing this in before 10.2R ships ?


https://anongit.mindrot.org/openssh.git/patch/?id=5b64f85bb811246c59ebab



	---Mike








-- 
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike at sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada   http://www.tancsa.com/


More information about the freebsd-security mailing list