Too many public keys

Andy Lutomirski luto at
Thu Apr 4 04:22:41 EST 2013

On Tue, Apr 2, 2013 at 5:01 PM, Arthur Mesh <amesh at> wrote:
> On Tue, Apr 02, 2013 at 03:57:15PM -0700, Andy Lutomirski wrote:
>> Received disconnect from [a.b.c.d]: 2: Too many authentication
>> failures for [username]
> Would it make sense to split max_authtries in to two separate counters:
>  1) one that counts password/kbd_interactive auth attempts
>  2) one that counts pubkey/certs auth attempts
> One could argue password/kbd_interactive authentication attempts are
> much more interesting. Having a low DEFAULT_AUTH_FAIL_MAX for these
> would make sense.
> Whereas, pubkey/cert auth attempts could have a higher threshold. This
> would allow people who have boatload of different keys to avoid this
> problem.

That would work for me.

I wonder if (with a protocol extension) something even better could be
done: take all locally available private keys, construct a small Bloom
filter and send it to the server, and have the server decide whether
any of the keys it accepts match.  (This would be efficient for shell
accounts but would be worse than useless for things like gitolite.)


More information about the openssh-unix-dev mailing list