On Thu, Jul 23, 2015 at 11:38:27PM +0200, Marc Espie wrote:
> On Thu, Jul 23, 2015 at 12:29:37PM -0400, Garance A Drosehn wrote:
> > On 23 Jul 2015, at 10:06, Emilio Perea wrote:
> >
> > >To me it looks like a mistimed April Fools' joke, but hope somebody
> > >more knowledgeable will respond:
> > >
There's one obvious thing I totally forgot to mention, but the initial spin
put on this issue is *all wrong*.
Calling that an "OpenSSH bug" is, pure and simple, slander.
If anything, it is a PAM bug.
Or you can say it's a system integration bug on FreeBSD.
Calling that an OpenSSH bug just beca
Em 24-07-2015 14:27, Kevin Chadwick escreveu:
> The guidance is to use pubkey or long passwords in which case you
> should either have no problem or notice the cpu cycles if your an admin
> worth any salt.
There are tons of info regarding OpenSSH best practices. The link bellow
[1] is one of them.
On Thu, 23 Jul 2015 18:12:28 -0400
Garance A Drosehn wrote:
> > to write software defensively if you want PAM to not fuck you over.
>
> It happens that I'm setting up some new (to me) RHEL 7 systems right
> now,
> and way too much time has been spent fighting with PAM (and I'm not done
> yet).
Em 23-07-2015 18:10, Ted Unangst escreveu:
> Come on. Calling it an oversight is not condescending. I think it's perfectly
> reasonable to say it was an oversight. He did't say it was the hole of the
> century. There's no need to be so defensive.
Yep. Others also told me this off list. I already so
On 23 Jul 2015, at 17:38, Marc Espie wrote:
Not surprisingly, as the patch clearly shows, the problem is right
smack
in the middle of USE_PAM code.
I wouldn't call that an OpenSSH bug. I would call it a systemic design
flaw
in PAM. As usual. LOTS of security holes in authentication systems
On Thu, Jul 23, 2015 at 12:29:37PM -0400, Garance A Drosehn wrote:
> On 23 Jul 2015, at 10:06, Emilio Perea wrote:
>
> >To me it looks like a mistimed April Fools' joke, but hope somebody more
> >knowledgeable will respond:
> >
> >https://kingcope.wordpress.com/2015/07/16/openssh-keyboard-interact
On Thu, Jul 23, 2015 at 5:10 PM, Ted Unangst wrote:
> Come on. Calling it an oversight is not condescending. I think it's
> perfectly
> reasonable to say it was an oversight. He did't say it was the hole of the
> century. There's no need to be so defensive.
>
Given that the last (and first) remo
On Thu, Jul 23, 2015 at 5:10 PM, Ted Unangst wrote:
> Giancarlo Razzolini wrote:
> > > The original post wondered if this was some mis-timed April Fool's
> > > joke. My reply was just to say that it's a real issue, although
> > > many people won't see this issue due to the way sshd is configured
Giancarlo Razzolini wrote:
> > The original post wondered if this was some mis-timed April Fool's
> > joke. My reply was just to say that it's a real issue, although
> > many people won't see this issue due to the way sshd is configured
> > on their systems.
>
> You were condescending, admit it.
Em 23-07-2015 16:43, Garance A Drosehn escreveu:
> As noted in my message, I did actually test it on a variety of systems.
You mentioned FreeBSD boxes and a Mac. That ain't a variety of systems.
> I happened to avoid it on my systems, but that was more by luck than
> any cleverness on my part.
T
On 23 Jul 2015, at 13:33, Theo de Raadt wrote:
>
>> My freebsd boxes do *not* have the problem, but that's because I have
>> set 'ChallengeResponseAuthentication no'.
>> I don't even remember why I set that on my freebsd boxes. I change very
>> few settings, but for some reason I decided to change
On 23 July 2015 at 09:15, Giancarlo Razzolini wrote:
> Em 23-07-2015 11:16, Peter N. M. Hansteen escreveu:
>> However, running that command pinting at a FreeBSD 10.1 box in my care
>> gave more than three tries. I aborted well before reaching 1 for
>> obvious reasons.
> Digging some more, I've
> But it depends on the right (wrong) combination of factors
> which, unfortunately, FreeBSD has.
Exactly.
On 7/23/2015 12:29 PM, Garance A Drosehn wrote:
> On 23 Jul 2015, at 10:06, Emilio Perea wrote:
[snip]
>
> It is a real issue. Your servers might not see the issue depending on
> what
> options have been set for sshd_config. My freebsd boxes do *not* have
> the
> problem, but that's because I
> It is a real issue. Your servers might not see the issue depending on
> what options have been set for sshd_config.
Some operating systems have extremely fast passwd checks, others have
slow ones. FreeBSD seems to be the worst affected because their PAM
integration does not terminate the loop
Em 23-07-2015 13:29, Garance A Drosehn escreveu:
> It is a real issue. Your servers might not see the issue depending on
> what
> options have been set for sshd_config. My freebsd boxes do *not* have
> the
> problem, but that's because I have set
> 'ChallengeResponseAuthentication no'.
> I don't
On 23 Jul 2015, at 10:06, Emilio Perea wrote:
To me it looks like a mistimed April Fools' joke, but hope somebody
more
knowledgeable will respond:
https://kingcope.wordpress.com/2015/07/16/openssh-keyboard-interactive-authentication-brute-force-vulnerability-maxauthtries-bypass/
It is a real
> > It seems to affect only FreeBSD. But it's bad, and affect a lot of
> > versions, dating back to 2007. And also, as I guessed, interaction with
> > PAM is the culprit.
>
> That's why Dr. House doesn't allow exotic things to be ported to OpenBSD.
> "You Can't Always Get What You Want".
Seriousl
> It seems to affect only FreeBSD. But it's bad, and affect a lot of
> versions, dating back to 2007. And also, as I guessed, interaction with
> PAM is the culprit.
That's why Dr. House doesn't allow exotic things to be ported to OpenBSD.
"You Can't Always Get What You Want".
Em 23-07-2015 11:16, Peter N. M. Hansteen escreveu:
> However, running that command pinting at a FreeBSD 10.1 box in my care
> gave more than three tries. I aborted well before reaching 1 for
> obvious reasons.
Digging some more, I've found this:
http://seclists.org/oss-sec/2015/q3/156
It see
Em 23-07-2015 11:16, Peter N. M. Hansteen escreveu:
> In my *very* limited testing, using variations of the first ssh
> command in that blog post, none of my OpenBSD boxes with fairly
> pristine out of the box /etc/ssh/sshd_config permitted more than three
> tries before closing the connection. I a
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 07/23/15 16:06, Emilio Perea wrote:
> To me it looks like a mistimed April Fools' joke, but hope somebody
> more knowledgeable will respond:
>
> https://kingcope.wordpress.com/2015/07/16/openssh-keyboard-interactive-authentication-brute-force-vulne
To me it looks like a mistimed April Fools' joke, but hope somebody more
knowledgeable will respond:
https://kingcope.wordpress.com/2015/07/16/openssh-keyboard-interactive-authentication-brute-force-vulnerability-maxauthtries-bypass/
24 matches
Mail list logo
