-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 07/23/15 07:22, Mike Tancsa wrote: > On 7/17/2015 3:19 PM, Mike Tancsa wrote: >> ------------------ >> https://kingcope.wordpress.com/2015/07/16/openssh-keyboard-interactiv e-authentication-brute-force-vulnerability-maxauthtries-bypass/ >> >> With this vulnerability an attacker is able to request as many password >> prompts limited by the “login graced time” setting, that is set >> to two minutes by default." >> >> > > There is a patch in the OpenSSH tree to mitigate this. Any chance > on bringing this in before 10.2R ships ? > > > https://anongit.mindrot.org/openssh.git/patch/?id=5b64f85bb811246c59eb ab
We > will bring in mitigation measure before 10.2R but it's would probably need to be broader than the upstream change. Note that one should really not configure the system with password based authentication for SSH anyways: even with this specific issue resolved, there are still be other ways to help brute forcing password over wire. Cheers, - -- Xin LI <delp...@delphij.net> https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.6 (FreeBSD) iQIcBAEBCgAGBQJVsT/2AAoJEJW2GBstM+nsjvcP/2YWBMaQ5xNFyEpduh9voKWH 4uPdj+mNqODdwMSdvG6girriOVqbZxMVifZRnmbepgpR2z8M/ZBi0mc6QJ7S50Bj d6jVkZeDXeFKS+83s+B8JX60YOwC0QljfThHrPXlTC0llara5rjNSledo7lFTsFG ZRYhP0T8gD503oi0CAkAAFcESykhvhxM+opwriAzmkEH1M8b2Py/RqCDXEfnzlEL SGjNGRUHzrpCiUjt6CeQFhJPzHjcsMoFqXbUu+qCDE79bZtVT3sZKJJicjFRVk6u diG2exyyW0eVdi2EXKyuSo/NeqZ2bypeREPvAzaRV9mI6IyjocZud2TWRPdkRp6A eDRkOBiWRayWXym11OooZTgAZkhBCOlHu6iJNucl8DTe4J5sEoNebPnZk58ZhXKF /ps+HPDshfgULQO234CN0GRjOsWUc3s1OkH6VoPO9+BNGn47ipaWOK53RoGQoxp8 Tn63ZcnW7/u/ivTNV0xjGxKX6NNl83/QDxvTVM1ICe41dZmJOYAop+dcggHMmTMG Ba4TngQMSSg0eVCMSC7thUQ8u5C5MWa2mB4V3oW0br9NGUR5ofUW73aDr+xbD4Ew rdtDRfQfi5tr+eVBIDvMOcvTV7mJZyIrriLcuMAT/rlRNc7m6bhQULWqcfvy/2rJ Gm3RFhVPuVk5jSL0410u =Y5hE -----END PGP SIGNATURE----- _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
