(PerSource)Penalties default perhaps too aggressive?
Rory Campbell-Lange
rory at campbell-lange.net
Thu Sep 11 06:02:21 AEST 2025
On 10/09/25, hvjunk (hvjunk at gmail.com) wrote:
> Busy with my first deployment/lab test of PVE9/Debian13 that uses OpenSSH 10.0-p1 (1:10.0p1-7 Deb package version) and my normal ssh-copy-id triggers the penalty and then doesn’t install the keys. In *my* case I have like 4x keys to load, so ssh-copy-id tries them all, and then get the penalty triggers and the keys aren’t loaded.
Can you pre-configure sshd_config on the Debian hosts with the PerSourcePenaltyExemptList directive prior to installing keys?
This will allow you to specify a comma-separated list of addresses to exempt from penalties.
You could also tweak the penalty settings for various conditions in PerSourcePenalties. I'm guessing expanding min:duration might work in this case but I haven't tried it.
Rory
More information about the openssh-unix-dev
mailing list