On 23 Jul 2015, at 10:06, Emilio Perea wrote:
To me it looks like a mistimed April Fools' joke, but hope somebody
more
knowledgeable will respond:
https://kingcope.wordpress.com/2015/07/16/openssh-keyboard-interactive-authentication-brute-force-vulnerability-maxauthtries-bypass/
It is a real issue. Your servers might not see the issue depending on
what
options have been set for sshd_config. My freebsd boxes do *not* have
the
problem, but that's because I have set 'ChallengeResponseAuthentication
no'.
I don't even remember why I set that on my freebsd boxes. I change very
few settings, but for some reason I decided to change that one.
I can reproduce the problem on my Macs, because they are setup with
'ChallengeResponseAuthentication yes', and I do not turn it off.
I'm told that another way to avoid the problem is to set
'KbdInteractiveAuthentication no'.
I'm also told that there is a patch for the oversight in OpenSSH's code,
and that can be seen at:
https://anongit.mindrot.org/openssh.git/patch/?id=5b64f85bb811246c59ebab
--
Garance Alistair Drosehn = dro...@rpi.edu
Senior Systems Programmer or g...@freebsd.org
Rensselaer Polytechnic Institute; Troy, NY; USA
