I read an article today about keyboard interactive auth allowing bruteforcing. I'm afraid I have minimal understanding of what keyboard-interactive really does. What does it do, and should I have my clients set it to off in sshd_config? --- Scott Neugroschl | XYPRO Technology Corporation 4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 583-2874|Fax 805 583-0124 |
I just stumbled upon this story too (on /.), and as far as I understand it, it allows a bit simpler way to perform brute force attacks. If you go about bruteforcing ssh, does it really matter that much if you do it over one or 10 tcp connections? If you do not have IDS (Intrusion Detection System, fail2ban or ossec HIDS) installed and functioning, this bug does not matter all that much. Determined attacker has this covered, regardles of number of kbd-interactive attempts you allow per single connection. b. PS: Actually I tried the proof of concept + patch provided for ssh. Openssh, patched with this patch, does not even compile. On 22 July 2015 at 21:41, Scott Neugroschl <scott_n at xypro.com> wrote:> I read an article today about keyboard interactive auth allowing bruteforcing. > > I'm afraid I have minimal understanding of what keyboard-interactive really does. What does it do, and should I have my clients set it to off in sshd_config? > > > --- > Scott Neugroschl | XYPRO Technology Corporation > 4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 583-2874|Fax 805 583-0124 | > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
On 22/07/15 21:41, Scott Neugroschl wrote:> I read an article today about keyboard interactive auth allowing bruteforcing. > > I'm afraid I have minimal understanding of what keyboard-interactive really does. What does it do, and should I have my clients set it to off in sshd_config?keyboard-interactive would ask the user for a password. You could be doing something a bit different through PAM, but given your query, you probably aren't, and both password and keyboard-interactive are basically equivalent on your system. Does it allow bruteforcing? Yes, they could attempt to your users passwords. But they are using safe passwords, right? My advise is: * Disable password authentication for root (PermitRootLogin to no or without-password). This is by far the most attacked account, annd the one they can do most damage through. * Do not allow users to simple passwords (at the very least, the password must not contain the username). * Ban ips after X failures (use a tool like fail2ban) * Locking out account after X password failures may be an appropiate measure, but largely depends on your setup (eg. How should the lock expire or shall the unlock be manual? Can your clients call your helpdesk and get unlocked?). This would be configured through pam. Best regards
And to answer your question about what to do, you have three options: - disable access to ssh with a firewall - disable password authentication - install and enable IDS to mitigate brute forcing b. On 22 July 2015 at 22:54, Bostjan Skufca <bostjan at a2o.si> wrote:> I just stumbled upon this story too (on /.), and as far as I > understand it, it allows a bit simpler way to perform brute force > attacks. > > If you go about bruteforcing ssh, does it really matter that much if > you do it over one or 10 tcp connections? > > If you do not have IDS (Intrusion Detection System, fail2ban or ossec > HIDS) installed and functioning, this bug does not matter all that > much. Determined attacker has this covered, regardles of number of > kbd-interactive attempts you allow per single connection. > > b. > > PS: Actually I tried the proof of concept + patch provided for ssh. > Openssh, patched with this patch, does not even compile. > > On 22 July 2015 at 21:41, Scott Neugroschl <scott_n at xypro.com> wrote: >> I read an article today about keyboard interactive auth allowing bruteforcing. >> >> I'm afraid I have minimal understanding of what keyboard-interactive really does. What does it do, and should I have my clients set it to off in sshd_config? >> >> >> --- >> Scott Neugroschl | XYPRO Technology Corporation >> 4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 583-2874|Fax 805 583-0124 | >> >> _______________________________________________ >> openssh-unix-dev mailing list >> openssh-unix-dev at mindrot.org >> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
On 22/07/15 22:54, Bostjan Skufca wrote:> I just stumbled upon this story too (on /.), and as far as I > understand it, it allows a bit simpler way to perform brute force > attacks.Thanks for the pointer, Bostjan: http://it.slashdot.org/story/15/07/22/1715244/bug-exposes-openssh-servers-to-brute-force-password-guessing-attacks https://www.reddit.com/r/netsec/comments/3dnzcq/openssh_keyboardinteractive_authentication_brute/ https://kingcope.wordpress.com/2015/07/16/openssh-keyboard-interactive-authentication-brute-force-vulnerability-maxauthtries-bypass/
On Wed, Jul 22, 2015 at 07:41:54PM +0000, Scott Neugroschl wrote:> I read an article today about keyboard interactive auth allowing > bruteforcing. > > I'm afraid I have minimal understanding of what keyboard-interactive > really does. What does it do, and should I have my clients set it to > off in sshd_config?Hi. A bug in the keyboard-interactive codebase allows querying a keyboard-interactive device more than once per auth request. By sending a comma-delimited keyboard-interactive device list with repeats (e.g. "pam, pam, pam, ..."), one can circumvent an OpenSSH server's MaxAuthTries restriction. That's the crux of the issue. Attached patch fixes. --mancha -------------- next part --------------
On 22/07/15 13:56, ?ngel Gonz?lez wrote:>On 22/07/15 21:41, Scott Neugroschl wrote: >> I read an article today about keyboard interactive auth allowing bruteforcing. >> >> I'm afraid I have minimal understanding of what keyboard-interactive really does. What does it do, and should I have my clients set it to off in sshd_config? >keyboard-interactive would ask the user for a password. You could be doing something a bit different through PAM, but given your query, you probably aren't, and >both password and keyboard-interactive are basically equivalent on your system.What is the difference between password and keyboard-interactive?
Thanks for clarification. One question though: As far as I have tested openssh, it logs every unsuccessful authentication attempt on the very moment it becomes unsuccessful, not after the connection is closed (after timeout or when reaching max auth attempts). Is this true or not even for this attack or not? Because if it is true, if there is a IDS system that bans IP after X failed logins, there should not be any problem. But if logging is deferred for any reason, then IDS can not detect the attack in timely manner. b. On 23 July 2015 at 01:03, mancha <mancha1 at zoho.com> wrote:> On Wed, Jul 22, 2015 at 07:41:54PM +0000, Scott Neugroschl wrote: >> I read an article today about keyboard interactive auth allowing >> bruteforcing. >> >> I'm afraid I have minimal understanding of what keyboard-interactive >> really does. What does it do, and should I have my clients set it to >> off in sshd_config? > > Hi. > > A bug in the keyboard-interactive codebase allows querying a > keyboard-interactive device more than once per auth request. > > By sending a comma-delimited keyboard-interactive device list with > repeats (e.g. "pam, pam, pam, ..."), one can circumvent an OpenSSH > server's MaxAuthTries restriction. > > That's the crux of the issue. > > Attached patch fixes. > > --mancha > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >