Too many public keys

Phil Pennock phil.pennock at
Sat Apr 6 04:57:18 EST 2013

On 2013-04-05 at 10:56 +0200, Aris Adamantiadis wrote:
> If you have too many public keys, you can use a config file to
> specifically set an identity file to use with an host. I don't see what
> problems you try to resolve, when in the opposite this limitation of
> public key numbers tries per connection has actually been useful during
> the Debian Openssl fiasco.
> While I agree that there's no point counting failed gssapi attempts as
> these cannot really be bruteforced.

Throwing out a random crazy idea for consideration:

How about cap per keytype, then?  If I'm trying to brute-force DSA,
trying an RSA key shouldn't count against that limit.

I suspect that a reasonable limit is 3 per key-type.  Folks normally
have one per type loaded, they might try a second because they
forgot/didn't-know-about IdentitiesOnly, and one more allows for
weirdness, like "I added keys from a second host for an emergency, then
ran a tool which doesn't specify IdentitiesOnly".

Does this seem reasonable?

More information about the openssh-unix-dev mailing list