openssh unix dev - Sep 2025 - (PerSource)Penalties default perhaps too aggressive?

On 10/09/2025 20:13, hvjunk wrote:
>   Busy with my first deployment/lab test of PVE9/Debian13 that uses OpenSSH
10.0-p1 (1:10.0p1-7 Deb package version) and my normal ssh-copy-id triggers the
penalty and then doesn?t install the keys.
Do you know (e.g. from sshd logs) what condition is triggering the 
penalty? There are certain conditions that count against the client, 
such as failed authentication, clients that disconnect without 
attempting authentication, clients that wait longer that LoginGraceTime 
before authenticating, and so on. But AFAIK, a well-behaved client 
should not be penalised.

https://man.openbsd.org/sshd_config

> On 10 Sep 2025, at 21:53, Brian Candler <b.candler at pobox.com>
wrote:
> 
> On 10/09/2025 20:13, hvjunk wrote:
>>  Busy with my first deployment/lab test of PVE9/Debian13 that uses
OpenSSH 10.0-p1 (1:10.0p1-7 Deb package version) and my normal ssh-copy-id
triggers the penalty and then doesn?t install the keys.
> 
> Do you know (e.g. from sshd logs) what condition is triggering the penalty?
[preauth]


[Sep 10 21:38:22 fatm sshd-session[1518057]: Connection closed by authenticating
user root 10.1.10.144 port 57153 [preauth]
Sep 10 21:38:23 fatm sshd-session[1518059]: Connection closed by authenticating
user root 10.1.10.144 port 57154 [preauth]
Sep 10 21:38:23 fatm sshd-session[1518061]: Connection closed by authenticating
user root 10.1.10.144 port 57157 [preauth]
Sep 10 21:38:23 fatm sshd-session[1518063]: Connection closed by authenticating
user root 10.1.10.144 port 57160 [preauth]
Sep 10 21:38:23 fatm sshd-session[1518081]: Connection closed by authenticating
user root 10.1.10.144 port 57161 [preauth]
Sep 10 21:38:23 fatm sshd[1517637]: drop connection #0 from [10.1.10.144]:57162
on [10.1.11.11]:22 penalty: failed authentication
> There are certain conditions that count against the client, such as failed
authentication, clients that disconnect without attempting authentication,
clients that wait longer that LoginGraceTime before authenticating, and so on.
But AFAIK, a well-behaved client should not be penalised.
seems in the archives, ssh-copy-id is not defined as a well behaved client
;(
> 
> https://man.openbsd.org/sshd_config
Reading that I?m asking the following questions I?ve not seen answers too yet
(My AI/google-foo might be bad?)

a) Where/how do I set/change the ?min? threshold value that is mentioned?
 I see a default 15sec mentioned, but nothing in sshd_config that looks like min
threshold for penalties

b) Which values should I tune for the ?preauthorisation? failures that
ssh-copy-id triggers? Ie. how do I make them trigger more frequently before
penalty threshold

c) I see several sub options for PerSourcePenalties, but no example how to set
them (even just the default would be great)