From owner-freebsd-security@freebsd.org Tue Jul 21 03:04:49 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 42ECE9A60CD for ; Tue, 21 Jul 2015 03:04:49 +0000 (UTC) (envelope-from brett@lariat.net) Received: from mail.lariat.net (mail.lariat.net [66.62.230.51]) by mx1.freebsd.org (Postfix) with ESMTP id 83C781DB1 for ; Tue, 21 Jul 2015 03:02:17 +0000 (UTC) (envelope-from brett@lariat.net) Received: from Toshi.lariat.net (IDENT:ppp1000.lariat.net@localhost [127.0.0.1]) by mail.lariat.net (8.9.3/8.9.3) with ESMTP id UAA14096; Sat, 18 Jul 2015 20:20:26 -0600 (MDT) Message-Id: <201507190220.UAA14096@mail.lariat.net> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Sat, 18 Jul 2015 20:20:08 -0600 To: Mike Tancsa , "freebsd-security@freebsd.org" From: Brett Glass Subject: Re: OpenSSH max auth tries issue In-Reply-To: <55A95526.3070509@sentex.net> References: <55A95526.3070509@sentex.net> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1"; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Jul 2015 03:04:49 -0000 Because a potential intruder can establish multiple or "tag-teamed" TCP sessions (possibly from different IPs) to the SSH server, a per-session limit is barely useful and will not slow a determined attacker. A global limit might, but would enable DoS attacks. --Brett Glass At 01:19 PM 7/17/2015, Mike Tancsa wrote: >Not sure if others have seen this yet > >------------------ > > >https://kingcope.wordpress.com/2015/07/16/openssh-keyboard-interactive-authentication-brute-force-vulnerability-maxauthtries-bypass/ > >"OpenSSH has a default value of six authentication tries before it will >close the connection (the ssh client allows only three password entries >per default). > >With this vulnerability an attacker is able to request as many password >prompts limited by the “login graced time” setting, that is set to two >minutes by default." > > >-- >------------------- >Mike Tancsa, tel +1 519 651 3400 >Sentex Communications, mike@sentex.net >Providing Internet services since 1994 www.sentex.net >Cambridge, Ontario Canada http://www.tancsa.com/ >_______________________________________________ >freebsd-security@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-security >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"