OpenSSH server open to almost unlimited password-guessing bug

A flaw in OpenSSH lets attackers bypass simple limits on the number of password login attempts that can be made per connection.

By default, the encrypted service accepts six tries within a grace period of two minutes before breaking off a connection, which hampers brute-force attacks, but this mechanism can be easily sidestepped, it appears.

A hacker using the handle KingCope says OpenSSH can be manipulated such that attackers can set their own limits for the number of keyboard-entered login attempts allowed within the grace period.

This means an attacker can write a script that makes thousands of login attempts without any slow down from the server; this seriously elevates the threat of someone successfully guessing an account's password, and accessing a protected system.

KingCope's proof-of-concept exploit is such a simple piece of parameter-passing, it looks almost like a feature rather than a bug:

ssh -lusername -oKbdInteractiveDevices=`perl -e 'print "pam," x 10000'` targethost

"This will effectively allow up to 10,000 password entries limited by the login grace time setting," KingCope claimed on the Full-Disclosure mailing list this week.

"The crucial part is that if the attacker requests 10,000 keyboard-interactive devices OpenSSH will gracefully execute the request and will be inside a loop to accept passwords until the specified devices are exceeded."

The bug affects the latest version of OpenSSH. Installations using crypto keys exclusively for authentication are not vulnerable as the flaw relies on keyboard-entered passwords. Admins running fail2ban or pam-shield should, in theory, be safe since failed login attempts can be detected and the brute-forcing IP addresses banned. Reducing the grace period to 20 or 30 seconds is another mitigation. ®