SSH < 3.1.2 AllowedAuthentications Remote Bypass (deprecated)
Low Nessus Network Monitor Plugin ID 1982
SynopsisThe remote host may give an attacker information useful for future attacks.
DescriptionThe remote host is running a version of the SSH daemon older than 3.1.2 or equal to 3.0.0. There is a vulnerability in this release that may, under some circumstances, allow users to authenticate using a password whereas it is not explicitly listed as a valid authentication mechanism. An attacker may use this flaw to brute force a password using a dictionary attack (if the password used is weak).
SolutionUpgrade to SSH 3.1.2 or higher.