Too many public keys

Arthur Mesh amesh at
Wed Apr 3 11:01:35 EST 2013

On Tue, Apr 02, 2013 at 03:57:15PM -0700, Andy Lutomirski wrote:
> Received disconnect from [a.b.c.d]: 2: Too many authentication
> failures for [username]

Would it make sense to split max_authtries in to two separate counters:
 1) one that counts password/kbd_interactive auth attempts
 2) one that counts pubkey/certs auth attempts

One could argue password/kbd_interactive authentication attempts are
much more interesting. Having a low DEFAULT_AUTH_FAIL_MAX for these
would make sense.

Whereas, pubkey/cert auth attempts could have a higher threshold. This
would allow people who have boatload of different keys to avoid this


More information about the openssh-unix-dev mailing list