Too many public keys

Carson Gaspar carson at
Wed Apr 3 20:17:09 EST 2013

On 4/3/13 1:01 AM, Arthur Mesh wrote:
> On Tue, Apr 02, 2013 at 03:57:15PM -0700, Andy Lutomirski wrote:
>> Received disconnect from [a.b.c.d]: 2: Too many authentication
>> failures for [username]
> Would it make sense to split max_authtries in to two separate counters:
>   1) one that counts password/kbd_interactive auth attempts
>   2) one that counts pubkey/certs auth attempts
> One could argue password/kbd_interactive authentication attempts are
> much more interesting. Having a low DEFAULT_AUTH_FAIL_MAX for these
> would make sense.
> Whereas, pubkey/cert auth attempts could have a higher threshold. This
> would allow people who have boatload of different keys to avoid this
> problem.

I have also seen this where GSSAPI auth eats into the auth count and 
causes spurious failures. I concur that a different threshold for 
password-like auth mechanisms would be a useful feature.


More information about the openssh-unix-dev mailing list