[Bug 2211] New: Too many hostbased authentication attempts

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Sat Mar 15 10:31:48 EST 2014


            Bug ID: 2211
           Summary: Too many hostbased authentication attempts
           Product: Portable OpenSSH
           Version: 6.5p1
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: imorgan at nas.nasa.gov

With the addition of support for host keys using ECDSA and ed25519, the
number of authentication attempts used by hostbased authentication has
also increased. This can make authentication problematic in cases where
hostbased authentication is enabled on both the client and server, but
misconfiguration causes all hostbased authentication attempts to fail.

Since hostbased authentication typically requires updating two (or
three) files on the server side, in addition to the sshd_config, it is
not unusual for there to be configuration issues when allowing a new
client to use hostbased authentication. For example, the client
may be mistyped in /etc/shosts.equiv. Complications can also arise if
the client system has multiple network interfaces, each with distinct
names in DNS; e.g. foo-ge, foo-xge.

The client will attempt to authenticate with each host key until it
succeeds, all host keys have been tried, or the number of allowed
authentication attempts have been exhausted. Thus, four out of the
default six authentication attempts can be used by hostbased
authentication before the user has a chance to attempt public-key or
password authentication. This situation can be made even worse if a
certificate is also available.

It would be helpful if there was a mechanism to limit the number of
authentication attempts used by hostbassed authentication, so that a
reasonable number still remain for other authentication methods if
hostbased authentication fails.

A simple solution would be to add support for an ssh_config(5) option
limit the number of attempts, such as HostbasedMaxTries or
MaxHostbasedAuthTries. A more flexible (although more complicated to
implement) solution would be to provide a means of specifying the keys
or key types to try; e.g. HostbasedKeyTypes ecdsa,ssh-rsa.

You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list