[Freedombox-discuss] SSH problem

Philip Hands phil at hands.com
Thu Jul 23 08:20:24 UTC 2015

Jonas Smedegaard <dr at jones.dk> writes:

> Hi Sandy,
> Quoting Sandy Harris (2015-07-22 20:55:42)
>> Is this an issue for the Box? I presume there'll be a fix & debian 
>> will include it so we should be covered, but it seems worth noting.
>> http://www.itworld.com/article/2951494/bug-exposes-openssh-servers-to-bruteforce-password-guessing-attacks.html
> Please file a bugreport against openssh-server.

Don't bother - there's a fix for this already that will be in the next

Also, I'd hope that we'd be putting fail2ban (or similar) on the
freedombox, if password authentication is allowed at all, in which case
that would catch this too.

One can protect against this specific attack by setting:

  KbdInteractiveAuthentication   no

if that is unset in the config, it defaults to whatever
ChallengeResponseAuthentication is set to, so setting that to 'no' will
generally do the trick too.  However, that's not so useful if one
actually wants to allow password authentication.

Cheers, Phil.
|)|  Philip Hands  [+44 (0)20 8530 9560]  HANDS.COM Ltd.
|-|  http://www.hands.com/    http://ftp.uk.debian.org/
|(|  Hugo-Klemm-Strasse 34,   21075 Hamburg,    GERMANY
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 818 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20150723/52f93fdd/attachment.sig>

More information about the Freedombox-discuss mailing list