This looks like a bug (ssh -v output from user included below).
AUTH_FAIL_MAX is reached before all supported authentication methods
are tried.
One possible solution is to count authentication failures separately
for each method tried, and disconnect if one fails more than
<configurable> times.
Btw: The exit status bug is fixed in the CVS version of OpenSSH, but
I'm not very enthusiastic about deploying a random CVS version of
OpenSSH on a network with about 1000 unix machines and exactly
32767(!) users. Any time estimate for a bugfix release?
Report from user:
[larsar at lpsa larsar]$ ssh -v root at foobar
OpenSSH_2.9p2, SSH protocols 1.5/2.0, OpenSSL 0x0090601f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Seeding random number generator
debug1: restore_uid
debug1: ssh_connect: getuid 2024 geteuid 0 anon 0
debug1: Connecting to foobar [129.240.148.27] port 22.
debug1: Allocated local port 733.
debug1: temporarily_use_uid: 2024/12024 (e=0)
debug1: restore_uid
debug1: Connection established.
debug1: read PEM private key done: type DSA
debug1: read PEM private key done: type RSA
debug1: identity file /usit/sauron/u4/larsar/.ssh/identity type 0
debug1: identity file /usit/sauron/u4/larsar/.ssh/id_rsa type 1
debug1: identity file /usit/sauron/u4/larsar/.ssh/id_dsa type 2
debug1: Remote protocol version 1.99, remote software version OpenSSH_2.9p2
debug1: match: OpenSSH_2.9p2 pat ^OpenSSH
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_2.9p2
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: dh_gen_key: priv key bits set: 128/256
debug1: bits set: 1016/2049
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'foobar' is known and matches the DSA host key.
debug1: Found key in /etc/ssh/ssh_known_hosts2:201
debug1: bits set: 995/2049
debug1: len 55 datafellows 0
debug1: ssh_dss_verify: signature correct
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: service_accept: ssh-userauth
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: authentications that can continue:
publickey,password,keyboard-interactive,hostbased
debug1: next auth method to try is publickey
debug1: userauth_pubkey_agent: testing agent key /hom/larsar/.ssh/id_rsa
debug1: authentications that can continue:
publickey,password,keyboard-interactive,hostbased
debug1: try pubkey: /usit/sauron/u4/larsar/.ssh/id_rsa
debug1: authentications that can continue:
publickey,password,keyboard-interactive,hostbased
debug1: try pubkey: /usit/sauron/u4/larsar/.ssh/id_dsa
debug1: authentications that can continue:
publickey,password,keyboard-interactive,hostbased
debug1: next auth method to try is hostbased
debug1: sig size 20 20
debug1: authentications that can continue:
publickey,password,keyboard-interactive,hostbased
debug1: authentications that can continue:
publickey,password,keyboard-interactive,hostbased
debug1: next auth method to try is keyboard-interactive
debug1: authentications that can continue:
publickey,password,keyboard-interactive,hostbased
Received disconnect from 129.240.148.27: 2: Too many authentication failures
for root
debug1: Calling cleanup 0x8060104(0x0)
--
Sturle All eyes were on Ford Prefect. Some of them were on stalks.
~~~~~~ -- Douglas Adams, So long, and thanks for all the fish