OpenSSH max auth tries issue

[Xin Li]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 07/23/15 07:22, Mike Tancsa wrote:
> On 7/17/2015 3:19 PM, Mike Tancsa wrote:
>> ------------------ 
>> https://kingcope.wordpress.com/2015/07/16/openssh-keyboard-interactiv
e-authentication-brute-force-vulnerability-maxauthtries-bypass/
>>
>> 
With this vulnerability an attacker is able to request as many password
>> prompts limited by the “login graced time” setting, that is set
>> to two minutes by default."
>> 
>> 
> 
> There is a patch in the OpenSSH tree to mitigate this. Any chance
> on bringing this in before 10.2R ships ?
> 
> 
> https://anongit.mindrot.org/openssh.git/patch/?id=5b64f85bb811246c59eb
ab

We
> 
will bring in mitigation measure before 10.2R but it's would
probably need to be broader than the upstream change.

Note that one should really not configure the system with password
based authentication for SSH anyways: even with this specific issue
resolved, there are still be other ways to help brute forcing password
over wire.

Cheers,
- -- 
Xin LI <delphij at delphij.net>    https://www.delphij.net/
FreeBSD - The Power to Serve!           Live free or die
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.6 (FreeBSD)

iQIcBAEBCgAGBQJVsT/2AAoJEJW2GBstM+nsjvcP/2YWBMaQ5xNFyEpduh9voKWH
4uPdj+mNqODdwMSdvG6girriOVqbZxMVifZRnmbepgpR2z8M/ZBi0mc6QJ7S50Bj
d6jVkZeDXeFKS+83s+B8JX60YOwC0QljfThHrPXlTC0llara5rjNSledo7lFTsFG
ZRYhP0T8gD503oi0CAkAAFcESykhvhxM+opwriAzmkEH1M8b2Py/RqCDXEfnzlEL
SGjNGRUHzrpCiUjt6CeQFhJPzHjcsMoFqXbUu+qCDE79bZtVT3sZKJJicjFRVk6u
diG2exyyW0eVdi2EXKyuSo/NeqZ2bypeREPvAzaRV9mI6IyjocZud2TWRPdkRp6A
eDRkOBiWRayWXym11OooZTgAZkhBCOlHu6iJNucl8DTe4J5sEoNebPnZk58ZhXKF
/ps+HPDshfgULQO234CN0GRjOsWUc3s1OkH6VoPO9+BNGn47ipaWOK53RoGQoxp8
Tn63ZcnW7/u/ivTNV0xjGxKX6NNl83/QDxvTVM1ICe41dZmJOYAop+dcggHMmTMG
Ba4TngQMSSg0eVCMSC7thUQ8u5C5MWa2mB4V3oW0br9NGUR5ofUW73aDr+xbD4Ew
rdtDRfQfi5tr+eVBIDvMOcvTV7mJZyIrriLcuMAT/rlRNc7m6bhQULWqcfvy/2rJ
Gm3RFhVPuVk5jSL0410u
=Y5hE
-----END PGP SIGNATURE-----