(PerSource)Penalties default perhaps too aggressive?
Brian Candler
b.candler at pobox.com
Thu Sep 11 06:15:41 AEST 2025
On 10/09/2025 21:12, Brian Candler wrote:
> I would have guessed noauth:<duration> ("specifies how long to refuse
> clients that disconnect without attempting authentication"). But
> since the default is 1s, and the default min penalty is 15s, I would
> expect at least 15 such disconnections to be required.
Actually, since the message says "penalty: failed authentication", then
maybe it's
|authfail:duration| <https://man.openbsd.org/sshd_config#authfail:duration>
Specifies how long to refuse clients that disconnect after making
one or more unsuccessful authentication attempts (default: 5s).
in which case, with default settings, 3 such failures would start to
enforce a penalty. But I have no idea why ssh-copy-id is failing to
authenticate; surely you must give it some valid credentials for it to
be able to do its job? Even if it has to fallback to password auth?
More information about the openssh-unix-dev
mailing list