OpenSSH -- MaxAuthTries limit bypass via duplicates in KbdInteractiveDevices

ID 5B74A5BC-348F-11E5-BA05-C80AA9043978
Type freebsd
Reporter FreeBSD
Modified 2016-08-09T00:00:00


It was discovered that the OpenSSH sshd daemon did not check the list of keyboard-interactive authentication methods for duplicates. A remote attacker could use this flaw to bypass the MaxAuthTries limit, making it easier to perform password guessing attacks.