(PerSource)Penalties default perhaps too aggressive?

Brian Candler b.candler at pobox.com
Thu Sep 11 06:12:33 AEST 2025 

On 10/09/2025 20:56, hvjunk wrote:
> [preauth]
>
>
> [Sep 10 21:38:22 fatm sshd-session[1518057]: Connection closed by authenticating user root 10.1.10.144 port 57153 [preauth]
> Sep 10 21:38:23 fatm sshd-session[1518059]: Connection closed by authenticating user root 10.1.10.144 port 57154 [preauth]
> Sep 10 21:38:23 fatm sshd-session[1518061]: Connection closed by authenticating user root 10.1.10.144 port 57157 [preauth]
> Sep 10 21:38:23 fatm sshd-session[1518063]: Connection closed by authenticating user root 10.1.10.144 port 57160 [preauth]
> Sep 10 21:38:23 fatm sshd-session[1518081]: Connection closed by authenticating user root 10.1.10.144 port 57161 [preauth]
> Sep 10 21:38:23 fatm sshd[1517637]: drop connection #0 from [10.1.10.144]:57162 on [10.1.11.11]:22 penalty: failed authentication
>
>
>> There are certain conditions that count against the client, such as failed authentication, clients that disconnect without attempting authentication, clients that wait longer that LoginGraceTime before authenticating, and so on. But AFAIK, a well-behaved client should not be penalised.
> seems in the archives, ssh-copy-id is not defined as a well behaved client ;(

Apparently so. I'd say it's worth investigating what's going on. It is 
only a shell script: "#!/bin/sh -x" at the top may tell you more.


>
> a) Where/how do I set/change the “min” threshold value that is mentioned?
>   I see a default 15sec mentioned, but nothing in sshd_config that looks like min threshold for penalties

I've not tried it myself, but it appears to be documented under 
PerSourcePenalities:  min:<duration>

so I would expect something like

PerSourcePenalties min:60s

You could also look at the output of "sshd -T", which trying with 10.0p2 
from homebrew shows:

persourcepenalties crash:90 authfail:5 noauth:1 grace-exceeded:10 
refuseconnection:10 max:600 min:15 max-sources4:65536 max-sources6:65536 
overflow:permissive overflow6:permissive


>
> b) Which values should I tune for the “preauthorisation” failures that ssh-copy-id triggers? Ie. how do I make them trigger more frequently before penalty threshold

I would have guessed noauth:<duration> ("specifies how long to refuse 
clients that disconnect without attempting authentication").  But since 
the default is 1s, and the default min penalty is 15s, I would expect at 
least 15 such disconnections to be required.

Again, really need to dig down further into what exactly ssh-copy-id is 
doing.

More information about the openssh-unix-dev mailing list