Too many public keys
Carson Gaspar
carson at taltos.org
Wed Apr 3 20:17:09 EST 2013
On 4/3/13 1:01 AM, Arthur Mesh wrote:
> On Tue, Apr 02, 2013 at 03:57:15PM -0700, Andy Lutomirski wrote:
>> Received disconnect from [a.b.c.d]: 2: Too many authentication
>> failures for [username]
>
> Would it make sense to split max_authtries in to two separate counters:
> 1) one that counts password/kbd_interactive auth attempts
> 2) one that counts pubkey/certs auth attempts
>
> One could argue password/kbd_interactive authentication attempts are
> much more interesting. Having a low DEFAULT_AUTH_FAIL_MAX for these
> would make sense.
>
> Whereas, pubkey/cert auth attempts could have a higher threshold. This
> would allow people who have boatload of different keys to avoid this
> problem.
I have also seen this where GSSAPI auth eats into the auth count and
causes spurious failures. I concur that a different threshold for
password-like auth mechanisms would be a useful feature.
--
Carson
More information about the openssh-unix-dev
mailing list