[Bug 3153] New: Prefer user specified keys to avoid the agent overloading MaxAuthTries before even trying the key that was specified

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Thu Apr 23 16:36:34 AEST 2020


https://bugzilla.mindrot.org/show_bug.cgi?id=3153

            Bug ID: 3153
           Summary: Prefer user specified keys to avoid the agent
                    overloading MaxAuthTries before even trying the key
                    that was specified
           Product: Portable OpenSSH
           Version: 8.2p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: christian.ehrhardt at canonical.com

Created attachment 3385
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3385&action=edit
RFC patch to start the discussion

Hi,
in a recent bug report to Ubuntu [1] I was wondering that this issue
seems to exist for so long and affect so many people
[2][3][4][5][6][7][8].
It was also discussed within openssh in [9][10].
But in all of those cases all that was done was to suggest workarounds
like "PubkeyAuthentication=no" or "IdentitiesOnly=yes", but IMHO those
are all just exactly that - workarounds.

Also there are many "related but not entirely the same" upstream bugs
like [11][12], but it seems no one has yet discussed the approach we
had in mind.

If a usual user calls ssh like
  ssh -i <mykey> ...
And gets:
  "Too many authentication failures"
He'd not even think about <mykey> not even being tried.

The problem is that the current order in pubkey_prepare will order
those directly specified keys too late.

 * try keys in the following order:
 *     1. certificates listed in the config file
 *     2. other input certificates
 *     3. agent keys that are found in the config file
 *     4. other agent keys
 *     5. keys that are only listed in the config file

Yes, if <mykey> is in the agent it will come at #3 which usually is
early enough.
But if <mykey> isn't in the agent which is usual for any new key that a
user created/tries it will come at #5.
If now the number of keys in #4 exceed the servers "i" the user gets
rejected without even trying <mykey> that he has specified.

Config may be config, but if a user specifies something directly on
invocation I'd expect it to supersede the configuration.

I'm clear that there might be more needed:
- has it to be ordered behind certs?
- do user-specified certs also need to get up in the list?
- does a test need to be added?
- discussion here about potential drawbacks
- ...

But I wanted to get things started and therefore I have attached a
sugegsted initial patch as well as a Ubuntu PPA [13] with it applied.

[1]: https://bugs.launchpad.net/debian/+source/openssh/+bug/1872145
[2]:
https://serverfault.com/questions/36291/how-to-recover-from-too-many-authentication-failures-for-user-root
[3]:
https://www.tecmint.com/fix-ssh-too-many-authentication-failures-error/
[4]:
https://superuser.com/questions/187779/too-many-authentication-failures-for-username
[5]:
https://blog.jasonmeridth.com/posts/ssh-too-many-authentication-failures/
[6]:
https://security.stackexchange.com/questions/65120/ssh-always-too-many-authentication-failures
[7]: https://www.unixtutorial.org/ssh-too-many-authentication-failures
[8]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=203700
[9]:
https://lists.mindrot.org/pipermail/openssh-unix-dev/2003-December/019931.html
[10]:
https://lists.mindrot.org/pipermail/openssh-unix-dev/2016-April/035029.html
[11]: https://bugzilla.mindrot.org/show_bug.cgi?id=1499
[12]: https://bugzilla.mindrot.org/show_bug.cgi?id=1937
[13]:
https://launchpad.net/~paelzer/+archive/ubuntu/bug-872145-ssh-prefer-user-configured-key

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list