Good day, Scenario: Busy with my first deployment/lab test of PVE9/Debian13 that uses OpenSSH 10.0-p1 (1:10.0p1-7 Deb package version) and my normal ssh-copy-id triggers the penalty and then doesn?t install the keys. In *my* case I have like 4x keys to load, so ssh-copy-id tries them all, and then get the penalty triggers and the keys aren?t loaded. My usual protection I deployed was sshguard (but typically after my ssh loaded and then I run Ansible deployments) Q: using ssh-copy-id with 4x keys to test and load, how should I change the penalty settings to not block it so aggressively? Hendrik
On 10/09/2025 20:13, hvjunk wrote:> Busy with my first deployment/lab test of PVE9/Debian13 that uses OpenSSH 10.0-p1 (1:10.0p1-7 Deb package version) and my normal ssh-copy-id triggers the penalty and then doesn?t install the keys.Do you know (e.g. from sshd logs) what condition is triggering the penalty? There are certain conditions that count against the client, such as failed authentication, clients that disconnect without attempting authentication, clients that wait longer that LoginGraceTime before authenticating, and so on. But AFAIK, a well-behaved client should not be penalised. https://man.openbsd.org/sshd_config
Rory Campbell-Lange
2025-Sep-10 20:02 UTC
(PerSource)Penalties default perhaps too aggressive?
On 10/09/25, hvjunk (hvjunk at gmail.com) wrote:> Busy with my first deployment/lab test of PVE9/Debian13 that uses OpenSSH 10.0-p1 (1:10.0p1-7 Deb package version) and my normal ssh-copy-id triggers the penalty and then doesn?t install the keys. In *my* case I have like 4x keys to load, so ssh-copy-id tries them all, and then get the penalty triggers and the keys aren?t loaded.Can you pre-configure sshd_config on the Debian hosts with the PerSourcePenaltyExemptList directive prior to installing keys? This will allow you to specify a comma-separated list of addresses to exempt from penalties. You could also tweak the penalty settings for various conditions in PerSourcePenalties. I'm guessing expanding min:duration might work in this case but I haven't tried it. Rory
On Wed, Sep 10, 2025 at 09:13:54PM +0200, hvjunk wrote:> Busy with my first deployment/lab test of PVE9/Debian13 that uses OpenSSH 10.0-p1 (1:10.0p1-7 Deb package version) and my normal ssh-copy-id triggers the penalty and then doesn?t install the keys. In *my* case I have like 4x keys to load, so ssh-copy-id tries them all, and then get the penalty triggers and the keys aren?t loaded.I cherry-picked a post-10.0 upstream fix in this area into Debian testing/unstable, but haven't yet issued a stable update for it. Does https://bugs.debian.org/1080350 sound as though it matches your symptoms? -- Colin Watson (he/him) [cjwatson at debian.org]