Bug in OpenSSH makes brute-force passwords easier

A bug in OpenSSH makes it possible to send thousands of login requests per minute, depending on the quality of the connection. This is also possible if the maximum number of login attempts is set low.

The vulnerability in OpenSSH makes it much easier to brute-force ssh servers. Security researcher King Cope discovered the issue and published details about it on the oss-sec mailing list.

Normally, the number of login attempts on an OpenSSH server is limited and an administrator of a server can further reduce that maximum number. However, thanks to the vulnerability, the number of login attempts is unlimited in practice. The vulnerability is easy to exploit; all you need to do is use a relatively simple OpenSSH command.

Brute-forcing on OpenSSH servers is already a big problem; especially servers with simple passwords fall prey to attackers, who scan the internet for vulnerable servers. Administrators of servers with a security certificate have less to worry about. No patch for OpenSSH has yet been implemented, although the discoverer has already written a patch.