Em 23-07-2015 13:29, Garance A Drosehn escreveu: > It is a real issue. Your servers might not see the issue depending on > what > options have been set for sshd_config. My freebsd boxes do *not* have > the > problem, but that's because I have set > 'ChallengeResponseAuthentication no'. > I don't even remember why I set that on my freebsd boxes. I change very > few settings, but for some reason I decided to change that one. Yes, it seems so. Going through the source code and the openssh-unix-dev mail list, I see that it's indeed an issue that could affect a lot of machines. But it depends on the right (wrong) combination of factors which, unfortunately, FreeBSD has. Using the default ssh configuration you need to append the Konsole output -o NumberOfPasswordPrompts=10000 option for being able to test this bug. My first attempts didn't had this. But I still can't replicate it on linux hosts. I can reproduce it on Mac's too. And it's as nasty as on FreeBSD.
The problem is with the KbdInteractiveAuthentication option, which defaults to the same value of ChallengeResponseAuthentication which in turn has the "yes" default. If there are any forms of PAM authentication delays, they still apply. But that could perhaps be overcome with some kind of distributed attack, with many connections opened. Cheers, Giancarlo Razzolini Konsole output
