Date: Sat, 18 Jul 2015 20:20:08 -0600 From: Brett Glass <brett@lariat.org> To: Mike Tancsa <mike@sentex.net>, "freebsd-security@freebsd.org" <freebsd-security@freebsd.org> Subject: Re: OpenSSH max auth tries issue Message-ID: <201507190220.UAA14096@mail.lariat.net> In-Reply-To: <55A95526.3070509@sentex.net> References: <55A95526.3070509@sentex.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Because a potential intruder can establish multiple or "tag-teamed" TCP sessions (possibly from different IPs) to the SSH server, a per-session limit is barely useful and will not slow a determined attacker. A global limit might, but would enable DoS attacks. --Brett Glass At 01:19 PM 7/17/2015, Mike Tancsa wrote: >Not sure if others have seen this yet > >------------------ > > >https://kingcope.wordpress.com/2015/07/16/openssh-keyboard-interactive-authentication-brute-force-vulnerability-maxauthtries-bypass/ > >"OpenSSH has a default value of six authentication tries before it will >close the connection (the ssh client allows only three password entries >per default). > >With this vulnerability an attacker is able to request as many password >prompts limited by the “login graced time” setting, that is set to two >minutes by default." > > >-- >------------------- >Mike Tancsa, tel +1 519 651 3400 >Sentex Communications, mike@sentex.net >Providing Internet services since 1994 www.sentex.net >Cambridge, Ontario Canada http://www.tancsa.com/ >_______________________________________________ >freebsd-security@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-security >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201507190220.UAA14096>