PerSourcePenalties and ssh-copy-id
Damien Miller
djm at mindrot.org
Tue Dec 10 12:29:47 AEDT 2024
On Mon, 9 Dec 2024, Dmitry Belyavskiy wrote:
> Dear colleagues,
>
> Can we somehow improve the UX related to a relatively freshly
> introduced PerSourcePenalties option?
>
> A popular pattern implies installation of the users' keys to a freshly
> installed machine using ssh-copy-id script. The default settings don't
> allow this command to work normally and causes login failures.
>
> A reasonable workaround could be adding some threshold for a number of
> failures before the penalties are applied.
That's how the penalty system works now.
Can you provide an example session that is failing? The default threshold
is three authentication failures in a fifteen second period. I guess you
have more keys than that?
IMO it's probably ssh-copy-id that needs to change. It looks like it
filters public keys by trying them against a target host. IMO it should
check them directly against authorized_keys on the target system, as
that wouldn't cause login failures and will result in less logspam for
server operators.
-d
More information about the openssh-unix-dev
mailing list