Project

General

Profile

Actions

Bug #4875

closed

Security issue with OpenSSH "ChallengeResponseAuthentication yes" (implies KbdInteractiveAuthentication yes)

Added by Maurice Smulders over 9 years ago. Updated over 9 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
-
Target version:
Start date:
07/23/2015
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
All
Affected Architecture:

Description

http://www.infoworld.com/article/2951100/security/bug-exposes-openssh-servers-to-bruteforce-password-guessing-attacks.html?phint=newt%3Dinfoworld_sec_rpt&phint=idg_eid%3Db84f5f9e3385a848ce73284e054d7ff1#tk.IFWNLE_nlt_sec_2015-07-23

https://kingcope.wordpress.com/2015/07/16/openssh-keyboard-interactive-authentication-brute-force-vulnerability-maxauthtries-bypass/

This allows the max login count to be bypassed, and lots of simultaneous dictionary password attacks can be done against SSH. The setting on pfsense is
"ChallengeResponseAuthentication yes" in /etc/ssh/sshd_config which implies that the KbdInteractiveAuthentication is yes.

This makes openssh vulnerable, and as sshd_config is generated, just fixing the actual file is not sufficient...


Files

sshd (7.09 KB) sshd Modified /etc/sshd Maurice Smulders, 07/23/2015 08:36 PM
Actions

Also available in: Atom PDF