Problem and Patch: Multiple keys in ssh.com V2 agent
Ulrich Kiermayr
uk at ap.univie.ac.at
Fri Dec 1 03:20:54 EST 2000
On Thu, 30 Nov 2000, Richard E. Silverman wrote:
> On Thu, 30 Nov 2000, Ulrich Kiermayr wrote:
> >
> > If I have more than one key in my agent, then the agent tries to
> > authenticicate me with every one of them at the OpenSSH server; but none
> > of them is a valid key for that server. The Problem is that the Server
> > increments the authctxt->attempt at every of that tries. So even if you
> > want to login with a password at that server, you have to disable the
> > agent first in order to get that chance. If the agent is running, you run
> > out of tries _before_ you are able to enter a password.
>
> This is a known issue. I think the right thing to do is to allow
> unlimited public-key checks (i.e. SSH_MSG_USERAUTH_REQUEST's with the
> boolean parameter set to FALSE), but count requests that actually contain
> a signature (TRUE) against the limit. Markus agreed with me, last time we
> corresponded about this.
Hmm great, but one has to check if alloung infinite public-key checks
could maybe lead to some sort of DoS against the daemon. (Just
thinking....)
LL&P uk
--
---------------------------------------------------------------------------
Ulrich Kiermayr Zentraler Informatikdienst der Universitaet Wien
Security Team Boltzmanngasse 5, A-1090 Vienna, Austria
---------------------------------------------------------------------------
eMail: ulrich.kiermayr at univie.ac.at Tel: (+43 1) 4277 / 14104
Hotline: security.zid at univie.ac.at Fax: (+43 1) 4277 / 9141
Web: http://www.univie.ac.at/zid/security
---------------------------------------------------------------------------
GPG Key fingerprint = BF0D 5749 4DC1 ED74 AB67 7180 105F 491D A8D7 64D8
More information about the openssh-unix-dev
mailing list