-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/23/15 16:06, Emilio Perea wrote: > To me it looks like a mistimed April Fools' joke, but hope somebody > more knowledgeable will respond: > > https://kingcope.wordpress.com/2015/07/16/openssh-keyboard-interactive-authentication-brute-force-vulnerability-maxauthtries-bypass/
I'll > bite. In my *very* limited testing, using variations of the first ssh command in that blog post, none of my OpenBSD boxes with fairly pristine out of the box /etc/ssh/sshd_config permitted more than three tries before closing the connection. I also tested some Linux boxes (CentOS 6.something) with the same result. However, running that command pinting at a FreeBSD 10.1 box in my care gave more than three tries. I aborted well before reaching 10000 for obvious reasons. I'm sure developers with more intimate knowledge of the code in question can fill in some gaps. - -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. iQIcBAEBAgAGBQJVsPcvAAoJELJiGF9h4Dye0PUP+gNAIEKaZuLxN3wtpGF2+cbk pgeU2ktuEXHHSm3Zo0OEoUGOQcyb01oAR4jtBn8ofHqy5pl1nkFz44bbttjfwKoQ tuCjtt4SKTe9rth1rfNQnUXKZeMCJfoUuupi+tShj61zlfq3xlYfa33wotx2FOy9 XKaX6Nq9k6pFsHJJeDuka/jsiFcMq4nxT6kgZACW4owolDuzIRhLbLRDwPOi+do6 JyBrOitPVBO52uhH1LFDQIYuut7oLMqA7FHvFOUVap2YsQfsqV1KqQrETrT8dwSE rzuV0ZKd8wO7DsvpJX3X4p1Ww3Y+XviGdBx30tbuG/99evhiWhH26zf4D05tzzJu TegsLgwcPvg1HjE8CjFnPx3XkYvRlD7oVWpG66QixdW2mW7dNKA2qnm/saaA9q3s zMtFk3e+I98iDR03lLzYaASFPKEwIw1o/nvr2WYq9RZtyzKSR2NT9yYsdbfdcHJu Vb3qtrsX1lZFfNQT8ojcREbK8s2w+Zptt/poWe8E+u43VtgtvcQUsML0KZQPCObk ZMJexU3+YSdIRKbpM5D2tvdgvhgHXGwt+HAJKhEt8clf/X1s+cv13ktU9iim/O3V brTXZWM/SAM49Hg/9i2p8zHQQft/bvDWlu6hyvrViMAjIDqhrUYd7m2gTzuAgQaL BKIu5nNh58RfIPeUDDax =Xum/ -----END PGP SIGNATURE-----
