Hi, I understand MaxAuthTries is a parameter used to restrict the maximum number of authentication attempts. But I notice a difference in behavior when run from different client versions. The MaxAuthTries at the server side is 6. The server side is running OpenSSH 6.6 version. When wrong password is given from an openssh client 6.1 version, it disconnects after 3 attempts. When wrong password is given from an openssh client 6.6 version, it disconnects after 5 attempts. What is the reason for this difference ? Shouldn't the behavior be the same, across both the clients, since MaxAuthTries is a server side parameter? Regards Opensshuser
On Tue, Feb 10, 2015 at 14:32:44 +0530, sshuser GA wrote:> Hi, > > I understand MaxAuthTries is a parameter used to restrict the maximum > number of authentication attempts. But I notice a difference in behavior > when run from different client versions. > The MaxAuthTries at the server side is 6. The server side is running > OpenSSH 6.6 version. > When wrong password is given from an openssh client 6.1 version, it > disconnects after 3 attempts. > When wrong password is given from an openssh client 6.6 version, it > disconnects after 5 attempts. > > What is the reason for this difference ? Shouldn't the behavior be the > same, across both the clients, since MaxAuthTries is a server side > parameter? >Keep in mind that MaxAuthTries is applied against _all_ authentication methods -- not just password authentication. If you use ssh -v, I expect that you will see that the apparent discrepancy is due to public-key or hostbased authentication attempts. Also, it may be that your clients have NumberOfPasswordPrompts set inconsistently. -- Iain Morgan
On Wed, 11 Feb 2015, Iain Morgan wrote:> On Tue, Feb 10, 2015 at 14:32:44 +0530, sshuser GA wrote: > > Hi, > > > > I understand MaxAuthTries is a parameter used to restrict the maximum > > number of authentication attempts. But I notice a difference in behavior > > when run from different client versions. > > The MaxAuthTries at the server side is 6. The server side is running > > OpenSSH 6.6 version. > > When wrong password is given from an openssh client 6.1 version, it > > disconnects after 3 attempts. > > When wrong password is given from an openssh client 6.6 version, it > > disconnects after 5 attempts. > > > > What is the reason for this difference ? Shouldn't the behavior be the > > same, across both the clients, since MaxAuthTries is a server side > > parameter? > > > > Keep in mind that MaxAuthTries is applied against _all_ authentication > methods -- not just password authentication. If you use ssh -v, I expect > that you will see that the apparent discrepancy is due to public-key or > hostbased authentication attempts. > > Also, it may be that your clients have NumberOfPasswordPrompts set > inconsistently.Or your server was patched to ignore public key queries (also in HEAD).