(PerSource)Penalties default perhaps too aggressive?
hvjunk
hvjunk at gmail.com
Thu Sep 11 05:56:44 AEST 2025
> On 10 Sep 2025, at 21:53, Brian Candler <b.candler at pobox.com> wrote:
>
> On 10/09/2025 20:13, hvjunk wrote:
>> Busy with my first deployment/lab test of PVE9/Debian13 that uses OpenSSH 10.0-p1 (1:10.0p1-7 Deb package version) and my normal ssh-copy-id triggers the penalty and then doesn’t install the keys.
>
> Do you know (e.g. from sshd logs) what condition is triggering the penalty?
[preauth]
[Sep 10 21:38:22 fatm sshd-session[1518057]: Connection closed by authenticating user root 10.1.10.144 port 57153 [preauth]
Sep 10 21:38:23 fatm sshd-session[1518059]: Connection closed by authenticating user root 10.1.10.144 port 57154 [preauth]
Sep 10 21:38:23 fatm sshd-session[1518061]: Connection closed by authenticating user root 10.1.10.144 port 57157 [preauth]
Sep 10 21:38:23 fatm sshd-session[1518063]: Connection closed by authenticating user root 10.1.10.144 port 57160 [preauth]
Sep 10 21:38:23 fatm sshd-session[1518081]: Connection closed by authenticating user root 10.1.10.144 port 57161 [preauth]
Sep 10 21:38:23 fatm sshd[1517637]: drop connection #0 from [10.1.10.144]:57162 on [10.1.11.11]:22 penalty: failed authentication
> There are certain conditions that count against the client, such as failed authentication, clients that disconnect without attempting authentication, clients that wait longer that LoginGraceTime before authenticating, and so on. But AFAIK, a well-behaved client should not be penalised.
seems in the archives, ssh-copy-id is not defined as a well behaved client ;(
>
> https://man.openbsd.org/sshd_config
Reading that I’m asking the following questions I’ve not seen answers too yet (My AI/google-foo might be bad?)
a) Where/how do I set/change the “min” threshold value that is mentioned?
I see a default 15sec mentioned, but nothing in sshd_config that looks like min threshold for penalties
b) Which values should I tune for the “preauthorisation” failures that ssh-copy-id triggers? Ie. how do I make them trigger more frequently before penalty threshold
c) I see several sub options for PerSourcePenalties, but no example how to set them (even just the default would be great)
More information about the openssh-unix-dev
mailing list