(PerSource)Penalties default perhaps too aggressive?

hvjunk hvjunk at gmail.com
Thu Sep 11 08:48:33 AEST 2025 


> On 10 Sep 2025, at 22:12, Brian Candler <b.candler at pobox.com> wrote:
> 
> On 10/09/2025 20:56, hvjunk wrote:
>> [preauth]
>> 
>> seems in the archives, ssh-copy-id is not defined as a well behaved client ;(
> 
> Apparently so. I'd say it's worth investigating what's going on. It is only a shell script: "#!/bin/sh -x" at the top may tell you more.

Simple algorithm:
(a) get a list of keys using: ssh-add -L
(b) iterate over the list attempting to login with each key separately, using a separate login/ssh session/connection
(c) Found any key that “worked”?
  YES: use that key to dump the set of keys that didn’t work into ~/.ssh/authorized_keys
   NO: normal ssh session going through the normal logins 

Usually C:NO is when I just type in the password and continue.
With some pre-provisioned cases that only allows a single key, the C:YES case would dump the rest of the SSH keys.

Nothing… untoward, just triggering this problem on 10.0 (I guess I might’ve picked it up on 9.8 IF I was using/deploying a new Ubuntu 24.04 perhaps Debian 12 in the previous 2 months.
 
>> a) Where/how do I set/change the “min” threshold value that is mentioned?
>>  I see a default 15sec mentioned, but nothing in sshd_config that looks like min threshold for penalties
> 
> I've not tried it myself, but it appears to be documented under PerSourcePenalities:  min:<duration>

source?

> so I would expect something like
> 
> PerSourcePenalties min:60s
> 
> You could also look at the output of "sshd -T", which trying with 10.0p2 from homebrew shows:
> 
> persourcepenalties crash:90 authfail:5 noauth:1 grace-exceeded:10 refuseconnection:10 max:600 min:15 max-sources4:65536 max-sources6:65536 overflow:permissive overflow6:permissive

Thank you!!

On the PVE9/Deb13:

persourcepenalties crash:90 authfail:5 noauth:1 grace-exceeded:10 refuseconnection:10 max:600 min:15 max-sources4:65536 max-sources6:65536 overflow:permissive overflow6:permissive


>> b) Which values should I tune for the “preauthorisation” failures that ssh-copy-id triggers? Ie. how do I make them trigger more frequently before penalty threshold
> 
> I would have guessed noauth:<duration> ("specifies how long to refuse clients that disconnect without attempting authentication").  But since the default is 1s, and the default min penalty is 15s, I would expect at least 15 such disconnections to be required.

Nope, seems that in this case, it is authfail:5 that after the 4th key check exceeds the min:15

> Again, really need to dig down further into what exactly ssh-copy-id is doing.

just in quick SUCCESION, ssh-copy-id checks ssh keys, one per session, triggering authfails ([preauth]) (REason it checks all is as mentioned before, some keys might be in LDAP/etc. so not needed/wanted in ~/.ssh/authorized_keys ) 

So the solution*S*:

1 fix sshd_config
  (a) bigger min:<arg> where <arg>/authfail(5) > the number of ssh keys ssh-copy-id needs to not yet in databases
  (b) drop authfail:<arg> (Similar argument as above)
  ((c) bit of each :)

2. PAtch ssh-copy-id
 in the filer_ids() procedure, add a "sleep 5” to totally “time out” the 5s from authfail

More information about the openssh-unix-dev mailing list