From owner-freebsd-security@freebsd.org  Fri Jul 17 19:18:42 2015
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id A49899A4F08
 for <freebsd-security@mailman.ysv.freebsd.org>;
 Fri, 17 Jul 2015 19:18:42 +0000 (UTC) (envelope-from mike@sentex.net)
Received: from smarthost1.sentex.ca (smarthost1.sentex.ca
 [IPv6:2607:f3e0:0:1::12])
 (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits))
 (Client CN "smarthost.sentex.ca", Issuer "smarthost.sentex.ca" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 6A3B61893
 for <freebsd-security@freebsd.org>; Fri, 17 Jul 2015 19:18:42 +0000 (UTC)
 (envelope-from mike@sentex.net)
Received: from [IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a] (saphire3.sentex.ca
 [IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a])
 by smarthost1.sentex.ca (8.14.9/8.14.9) with ESMTP id t6HJIfLP093776;
 Fri, 17 Jul 2015 15:18:41 -0400 (EDT) (envelope-from mike@sentex.net)
Message-ID: <55A95526.3070509@sentex.net>
Date: Fri, 17 Jul 2015 15:19:02 -0400
From: Mike Tancsa <mike@sentex.net>
Organization: Sentex Communications
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64;
 rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: "freebsd-security@freebsd.org" <freebsd-security@freebsd.org>
Subject: OpenSSH max auth tries issue
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Jul 2015 19:18:42 -0000

Not sure if others have seen this yet

------------------


https://kingcope.wordpress.com/2015/07/16/openssh-keyboard-interactive-authentication-brute-force-vulnerability-maxauthtries-bypass/

"OpenSSH has a default value of six authentication tries before it will
close the connection (the ssh client allows only three password entries
per default).

With this vulnerability an attacker is able to request as many password
prompts limited by the “login graced time” setting, that is set to two
minutes by default."


-- 
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike@sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada   http://www.tancsa.com/