(PerSource)Penalties default perhaps too aggressive?
hvjunk
hvjunk at gmail.com
Thu Sep 11 08:13:25 AEST 2025
> On 10 Sep 2025, at 22:02, Rory Campbell-Lange <rory at campbell-lange.net> wrote:
>
> On 10/09/25, hvjunk (hvjunk at gmail.com) wrote:
>> Busy with my first deployment/lab test of PVE9/Debian13 that uses OpenSSH 10.0-p1 (1:10.0p1-7 Deb package version) and my normal ssh-copy-id triggers the penalty and then doesn’t install the keys. In *my* case I have like 4x keys to load, so ssh-copy-id tries them all, and then get the penalty triggers and the keys aren’t loaded.
>
> Can you pre-configure sshd_config on the Debian hosts with the PerSourcePenaltyExemptList directive prior to installing keys?
simpler to just set "PerSourcePenalties no” as most cases I need to do this I’m from mobile/random IPs on laptops :D
> You could also tweak the penalty settings for various conditions in PerSourcePenalties. I'm guessing expanding min:duration might work in this case but I haven't tried it.
yeah, it’s understanding that examples configs I haven’t seen documented (yet)
More information about the openssh-unix-dev
mailing list