(PerSource)Penalties default perhaps too aggressive?

[hvjunk]

> On 10 Sep 2025, at 23:15, Colin Watson <cjwatson at debian.org> wrote:
> 
> On Wed, Sep 10, 2025 at 09:13:54PM +0200, hvjunk wrote:
>> Busy with my first deployment/lab test of PVE9/Debian13 that uses OpenSSH 10.0-p1 (1:10.0p1-7 Deb package version) and my normal ssh-copy-id triggers the penalty and then doesn’t install the keys. In *my* case I have like 4x keys to load, so ssh-copy-id tries them all, and then get the penalty triggers and the keys aren’t loaded.
> 
> I cherry-picked a post-10.0 upstream fix in this area into Debian testing/unstable, but haven't yet issued a stable update for it.  Does https://bugs.debian.org/1080350 sound as though it matches your symptoms?

Not quite, this does match other “hammering” cases (eg. find . -type f | xargs -P 50 rsync {} remote:/path/{} ) when I need multiple parallel sessions to keep the network/disk pipes busy. 
This “bug/1080350” is similar to another maxstartup parameter that has troubles with the massive parallel startup, which looks like a DoS attack to keep the system busy during the expensive public key exchange - been having those type of issues for at least 4 years, but those are parallel issue, not in the ssh-copy-id case a serialized “attack"