search for: max_authtries

Apparently my ssh agent is feeling energetic today: debug1: Authentications that can continue: publickey,password debug1: Next authentication method: publickey debug1: Offering RSA public key: [...] debug1: Authentications that can continue: publickey,password debug1: Offering RSA public key: [...] debug1: Authentications that can continue: publickey,password debug1: Offering RSA public key:

...0 @@ -96,6 +96,7 @@ options->print_lastlog = -1; options->x11_forwarding = -1; options->x11_display_offset = -1; + options->max_displays = -1; options->x11_use_localhost = -1; options->permit_tty = -1; options->permit_user_rc = -1; @@ -327,6 +328,8 @@ options->max_authtries = DEFAULT_AUTH_FAIL_MAX; if (options->max_sessions == -1) options->max_sessions = DEFAULT_SESSIONS_MAX; + if (options->max_displays == -1) + options->max_displays = MAX_DISPLAYS; if (options->use_dns == -1) options->use_dns = 0; if (options->client_alive_interval =...

...Jun 17 08:39:12 vm183 sshd[90005]: Connection closed by 10.65.x.x [preauth] which is different to normal password authentication. Further code reading led me to function auth_log() in auth.c:286 where you can see that the other methods than password should be logged only if you exceed the half of max_authtries option. That makes sense since many people just throw their public keys everywhere therefore logging every failure doesn't make sense. But as I tried to push more keys to switch on this knob on, it appeared that in this context, authctxt->failures variable is ALWAYS zero for pubkey authenti...

...being logged in auth.log hans at Draakje:~/src/openssh$ diff -u auth.c auth_new.c --- auth.c 2010-03-07 01:57:00.000000000 +0100 +++ auth_new.c 2010-04-19 19:58:21.564550068 +0200 @@ -263,6 +263,7 @@ if (authenticated == 1 || !authctxt->valid || authctxt->failures >= options.max_authtries / 2 || + strcmp(method, "publickey") == 0 || strcmp(method, "password") == 0) authlog = logit; Perhaps there is a better way to log the failed sshkey logins, but I couldn't find it (my lack of knowledge probably). So any comments are welcome.... Hans --------...

...;) && /* method 'none' */ >+ !options.permit_empty_passwd && /* none !allowed */ >+ !authenticated)) /* failed auth */ >+ auth_log(authctxt, authenticated, method, " ssh2"); I don't see why this in needed. Until you get to options.max_authtries/2 failures (which used to be hard-coded to AUTH_FAIL_MAX/2 = 3) it will only get logged at "verbose" level anyway. >+ if (!options.password_authentication || !options.permit_empty_passwd) >+ return(0); Handled in auth-passwd.c (see above). >- retval = (do_pam_authenticate(0)...

I have passwords turned off, and require keys to match. The zombie armies swarming outside are trying brute force attacks that in part involve guessing login NAMES. If they guess the wrong NAME, this is logged in syslog. If they guess a working user name, then the attack has PARTIALLY SUCCEEDED, but this information is IGNORED. That is, it is not logged. If the zombie army has tell when it

...tModes: intptr = &options->strict_modes; goto parse_flag; @@ -1657,6 +1665,7 @@ copy_set_server_options(ServerOptions *d M_CP_INTOPT(x11_display_offset); M_CP_INTOPT(x11_forwarding); M_CP_INTOPT(x11_use_localhost); + M_CP_INTOPT(no_pty); M_CP_INTOPT(max_sessions); M_CP_INTOPT(max_authtries); M_CP_INTOPT(ip_qos_interactive); @@ -1883,6 +1892,7 @@ dump_config(ServerOptions *o) dump_cfg_fmtint(sPrintLastLog, o->print_lastlog); dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding); dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost); + dump_cfg_fmtint(sNoPty, o->no_p...

Hello. I am trying to play through the following test scenario about certificate revocation on Ubuntu 18.04, which has OpenSSH of this version: OpenSSH_7.6p1 Ubuntu-4, OpenSSL 1.0.2n? 7 Dec 2017 1. A CA key is created ssh-keygen -t ed25519 -f ca 2. The CA public key is added to ~/.ssh/authorized_keys on some server: cert-authority ssh-ed25519 AAAA...e ca at yoga 3. A user key is created on a