(PerSource)Penalties default perhaps too aggressive?

Thu Sep 11 17:04:49 AEST 2025

Hi Damien,

 Let me first state by saying: Thank you for adding this “feature”, and though it is adding value and I’ll use and tune/tweak it in future as need be, I do believe you’ve chosen too aggressive defaults

> On 11 Sep 2025, at 01:36, Damien Miller <djm at mindrot.org> wrote:
> 
> 
> Maybe ssh-copy-id's behaviour of filtering keys by attempting a
> connection with each one could be modified. Perhaps instead it could
> attempt authentication normally and filter keys by grepping in
> authorized_keys. On the other hand there's probably a reason for why it
> works the way it does currently.

Well, that is not always that easy to do:
What about keys in LDAP/etc.?
What about keys in a different directories like /etc/ssh/authorized_keys.d/${user}/ ?

How do you propose it would check for those other sources, other than reimplementing a openssh server config parser? What about the cases where it hits a chrooted environment after login that it can’t check those other sources? or the system is hardened and the user can’t read the /etc/ssh/sshd_config* files ?

ssh-copy-id, from going through the script, is doing a K.I.S.S. operation and that is what makes it so easy to use and useful IMHO.

> Another, more annoying thing ssh-copy-id could do is ratelimit
> connections to ensure that the the penalty threshold is never it. If it
> assumed the default PerSourcePenalties, then it would only need to do
> this if when it is asked to copy three or more keys and even then would
> only need to throttle after the second key is tried.

Yes, as I mentioned in another reply, I patched it to get passed this problem… but suddenly I’m waiting like 15seconds for it now… I have to do a bug request, and have user complaints coming about it :(=)

> If you're in control of the server,

Yes, *IF*

> you can also avoid this condition
> by reducing the authfail penalty and/or increasing the "min" penalty
> threshold. You want authfail * nkeys < min

This is going to be the normal for me, and to be honest, was a very UNEXPECTED problem, and the documentation are scarce, with more false positives coming my way than I’d say it is solving (in my cases and users at least)

> Alternately, as others have suggested, you can allow-list your client
> via PerSourcePenaltyExemptList.

What about the users from different places/mobiles?
 It’ll amount to 2000::/3, again, not adding the intended value then :(

> Finally, the PerSourcePenalties defaults are little more than my guesses
> at values that will usefully throttle attacks without significantly
> affecting legitimate traffic. Feedback is always welcome.

And *my* humble feedback:

 Yes, it is TOO AGGRESSIVE, perhaps take a leaf from sshguard’s defaults as I’ve found it to be blocking a lot of incoming “attacks” without getting in me and my user’s way (yes, when I do trigger it, it was like when I su’d or used wrong destination user multiple times, or automation systems with wrong keys/etc or where the remote implemented password expiries)

If you ask me, I’d say to make the defaults to only fail/disconnect after the 10th attempt like this in a 5 second window, as anything more is a much better indicator and much less false positive of a key-check-attack. Real key check attacks I’ve not seen doing more than a single key to a single host/user, they typically from what it appears, tried it on multiple hosts in sequence, thus this setting doesn’t help that much, it will only really help when they have a corpus of keys they want to check, and then they’ll check rather a bunch in the same session as session setup and teardown takes time.

The attacks I *DO* see constantly in my ssh logs (that sshguard are blocking) is multiple users and then for each user multiple passwords in the SAME SESSION. The [preauth] “attacks” I’ve seen was remote automation systems that the remote sysadmins have made some user/password/key errors (and a connection drop/disconnect in those cases had them confused and reported firewall issues…) and they retry “quickly” on first failure 

Thank you for the feature, but making it more permissive and letting the sysadmin(s) tweak would be my advice. 

HEndrik