Brute Force for keyboard-interactive OpenSSH Logins Discovered

There is a proof of concept which allows for an attacker to attempt to brute force OpenSSH servers with keyboard-interactive logins enabled. FreeBSD users are especially affected as FreeBSD allows keyboard-interactive OpenSSH logins by default. This brute force allows attempting up to 10,000 password entries at a time. For quite some time it has been known that all forms of password authentication over SSH are weaker by necessity than key based authentication which should be the only login method allowed on any machines over SSH. This is a rather minor enhancement to an existing protocol level vulnerability, but this incident should serve as a reminder that a well configured SSH server will by necessity only allow key based logins. A patch which corrects this issue has already been committed to the source tree and will be included with OpenSSH 7.0 which is due for release in a few weeks.

One thought on “Brute Force for keyboard-interactive OpenSSH Logins Discovered

  1. And it turns our "Mostly affects FreeBSD" mean it pretty much only affects FreeBSD because the essence of the issue is a system integration problem.

Leave a Reply to Bingo Boingo Cancel reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>