SoylentNews
SoylentNews is people
https://soylentnews.org/

canopic jug wrote in with:

Peter N. M. Hansteen writes about a bug that occurs when Pluggable Authentication Modules (PAM) are used in conjunction with OpenSSH set to keyboard-interactive. The bug first blogged about back on the 16th, which showed a way to bypass MaxAuthTries limits for certain configurations. When the bug is exploited it allows virtually unlimited tries at password authentication, good enough for brute-force password guessing. One easy way to mitigate this is to disable password authentication all together and use only keys with OpenSSH.

Mr. Hansteen tested several various systems on OpenBSD, Linux, and FreeBSD, and could only find issue with the FreeBSD box, as the others apparently had default configurations which did not allow this. The original blog does have a simple one line ssh command to test if your system is vulnerable. Fail2ban should help stop this, but may not completely mitigate depending on firewall rule setup.

Here is some more interesting info on the subject from the OpenBSD mailing list. Most comments seem to indicate that while this may be concerning it probably isn't world-shattering. Still it is something to keep in mind when hardening systems.

Original Submission

1. "canopic jug" - https://soylentnews.org/~canopic+jug/
2. "a bug that occurs when Pluggable Authentication Modules (PAM) are used in conjunction with OpenSSH set to keyboard-interactive" - http://bsdly.blogspot.com/2015/07/the-openssh-bug-that-wasnt.html
3. "bypass MaxAuthTries limits" - https://kingcope.wordpress.com/2015/07/16/openssh-keyboard-interactive-authentication-brute-force-vulnerability-maxauthtries-bypass/
4. "Original Submission" - https://soylentnews.org/submit.pl?op=viewsub&subid=8503

printed from SoylentNews, The OpenSSH/PAM Bug on 2024-05-02 11:52:53