#
# This is to fix a keyboard-interactive authentication brute force
# vulnerability (MaxAuthTries bypass). A CVE number (CVE-2015-5600) has been
# reserved for this problem, but not officially issued yet. This fix came from
# OpenSSH upstream, which will be included in the future OpenSSH 7.0p1 release.
# When we upgrade OpenSSH to 7.0 in the future, we will remove this patch.
#
--- a/auth2-chall.c Mon Aug 3 15:25:43 2015
+++ b/auth2-chall.c Mon Aug 3 15:28:17 2015
@@ -82,6 +82,7 @@
void *ctxt;
KbdintDevice *device;
u_int nreq;
+ u_int devices_done;
};
#ifdef USE_PAM
@@ -168,11 +169,15 @@
if (len == 0)
break;
for (i = 0; devices[i]; i++) {
- if (!auth2_method_allowed(authctxt,
+ if ((kbdintctxt->devices_done & (1 << i)) != 0 ||
+ !auth2_method_allowed(authctxt,
"keyboard-interactive", devices[i]->name))
continue;
- if (strncmp(kbdintctxt->devices, devices[i]->name, len) == 0)
+ if (strncmp(kbdintctxt->devices, devices[i]->name,
+ len) == 0) {
kbdintctxt->device = devices[i];
+ kbdintctxt->devices_done |= 1 << i;
+ }
}
t = kbdintctxt->devices;
kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL;