The OpenSSH Bug That Wasn't

Key takeaway:<p>&gt; And as several correspondents have reminded me already -- switching your sshd to keys only authentication will let you sleep better at night.<p>Even with fail2ban and limited retries, there&#x27;s no excuse for using password-based authentication anymore. Use an SSH key, protect the key with a password, and turn off password login on all your servers.<p>Other than that, the main gist of this post is: on most platforms, the default settings for remote login already make brute-force login attempts annoying at best, and with fail2ban or something similar, it&#x27;s a non-issue.

Oh, good old PAM: <a href="http:&#x2F;&#x2F;web.archive.org&#x2F;web&#x2F;20131205090841&#x2F;http:&#x2F;&#x2F;deadmemes.net&#x2F;2010&#x2F;10&#x2F;19&#x2F;fear-and-loathing-in-debianubuntu-or-who-needs-etcmotd" rel="nofollow">http:&#x2F;&#x2F;web.archive.org&#x2F;web&#x2F;20131205090841&#x2F;http:&#x2F;&#x2F;deadmemes.n...</a> (Discussed previously: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=3325510" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=3325510</a>)

This really is a bug in <i>how</i> OpenSSH USE_PAM is implemented.<p>Particularly if you presume that PAM is the devil, the last thing you want to do, from a security standpoint, is to let a client dictate how a server applies PAM. The policy _has_ to be entirely controlled by the server&#x27;s config. Once you let the client decide, you&#x27;re just asking for things to go wrong.

Thankfully my use of PAM is for 2FA with SSH when I don&#x27;t have my key. So they wouldn&#x27;t have been successful in pulling off a bruteforce anyway. But it&#x27;s annoying that their attempts weren&#x27;t being limited as it can waste resources...

I have disabled PAM by default on all my boxes that run sshd for the last 9 years out of habit, I long ago forgot the reason why (probably because the gentoo sshd handbook entry said it was a good idea). Why UsePAM is set to yes in sshd_config by default on many distros is beyond me.

NetBSD is integrating a system called blacklistd to address fail2ban being less than elegant.<p><a href="http:&#x2F;&#x2F;netbsd.gw.com&#x2F;cgi-bin&#x2F;man-cgi?blacklistd++NetBSD-current" rel="nofollow">http:&#x2F;&#x2F;netbsd.gw.com&#x2F;cgi-bin&#x2F;man-cgi?blacklistd++NetBSD-curr...</a>

I am curious as to what happens when this is done with an existent user? I feel like there would be different behaviors for timeouts when a non-existent username is used and when a wrong password is used for an existent username.

They talk about FreeBSD in the original article and the guy tests that on other OS and say it&#x27;s not a serious vuln?<p>This is a serious vuln for FreeBSD. Period.

FreeBSD hasn&#x27;t released a patch, so I patched it myself.<p><a href="https:&#x2F;&#x2F;nyllep.wordpress.com&#x2F;2015&#x2F;07&#x2F;25&#x2F;emergency-fix-for-cve-2015-5600-on-freebsd&#x2F;" rel="nofollow">https:&#x2F;&#x2F;nyllep.wordpress.com&#x2F;2015&#x2F;07&#x2F;25&#x2F;emergency-fix-for-cv...</a>

Lol&#x27;d at the blog&#x27;s title