bugzilla-daemon at mindrot.org
2003-May-12 14:53 UTC
[Bug 561] Please implement MaxAuthTries
http://bugzilla.mindrot.org/show_bug.cgi?id=561
Summary: Please implement MaxAuthTries
Product: Portable OpenSSH
Version: -current
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: sshd
AssignedTo: openssh-unix-dev at mindrot.org
ReportedBy: wmertens at gentoo.org
Hi,
When using Commercial SSH to connect to OpenSSH, it can happen that a user has
many keys
and this results in a failure to log in due to "Too many authentication
failures".
The problem is documented at
http://www.tartarus.org/~simon/puttydoc/Chapter10.html#10.5 :
10.5 "Server sent disconnect message type 2
(SSH_DISCONNECT_PROTOCOL_ERROR):
"Too many authentication failures for root""
This message is produced by an OpenSSH (or Sun SSH) server if it receives more
failed
authentication attempts than it is willing to tolerate. This can easily happen
if you are using
Pageant and have a large number of keys loaded into it. This can be worked
around on the server by
disabling public-key authentication or (for Sun SSH only) by increasing
MaxAuthTries in
sshd_config. Neither of these is a really satisfactory solution, and we hope to
provide a better one in
a future version of PuTTY.
You might not want to implement a MaxAuthTries, but at least something must be
done so that
broken clients can connect (and asking the user to remove some keys from their
agent is not it
IMHO).
Thanks!
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-May-12 18:21 UTC
[Bug 561] Please implement MaxAuthTries
http://bugzilla.mindrot.org/show_bug.cgi?id=561 ------- Additional Comments From markus at openbsd.org 2003-05-13 04:21 ------- we just changed the openssh client to try the agent key in order of preference (instead of randomly), but this only helps for openssh clients.... ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-May-14 12:21 UTC
[Bug 561] Please implement MaxAuthTries
http://bugzilla.mindrot.org/show_bug.cgi?id=561 ------- Additional Comments From djm at mindrot.org 2003-05-14 22:21 ------- FYI if you still need this, it is a very easy patch to make (grep for AUTH_FAIL_MAX) ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-May-14 19:03 UTC
[Bug 561] Please implement MaxAuthTries
http://bugzilla.mindrot.org/show_bug.cgi?id=561 ------- Additional Comments From wmertens at gentoo.org 2003-05-15 05:03 ------- Well, yes, and this is what I did, but it's not really a good solution imho. I mean, the fact that Sun implements it, means that Sun thought it was worth implementing, even as a stop-gat measure. Do you think there is a way to get around this error when it's legitimate? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.