It was discovered that the OpenSSH sshd daemon did not check the list of keyboard-interactive authentication methods for duplicates. A remote attacker could use this flaw to bypass the MaxAuthTries limit, making it easier to perform password guessing attacks.
Unitrends Risk Assessment: None with security updates 4/26/17 or later
Not vulnerable if “ChallengeResponseAuthentication no” in sshd_config.
Fixed in openssh-5.3p1-114.el6 and later.