Bug 561

Summary:

Please implement MaxAuthTries

Product:

Portable OpenSSH

Reporter:

Wout Mertens <wmertens>

Component:

sshd

Assignee:

OpenSSH Bugzilla mailing list <openssh-bugs>

Status:

CLOSED FIXED

Severity:

enhancement

Keywords:

low-hanging-fruit, openbsd, patch

Priority:

Version:

-current

Hardware:

All

OS:

All

Bug Depends on:

Bug Blocks:

822

Attachments:

Description	Flags
Implement MaxAuthTries, patch against OpenBSD.	none
Add MaxAuthTries and MaxAuthTriesLog, patch against OpenBSD	none
Update patch to -current, add to example sshd_config	none

Description Wout Mertens 2003-05-13 00:53:19 AEST

Hi, 
 
When using Commercial SSH to connect to OpenSSH, it can happen that a user has many keys 
and this results in a failure to log in due to "Too many authentication failures". 
 
The problem is documented at http://www.tartarus.org/~simon/puttydoc/Chapter10.html#10.5 : 
 
10.5 "Server sent disconnect message type 2 (SSH_DISCONNECT_PROTOCOL_ERROR): 
"Too many authentication failures for root"" 
 
  
 
This message is produced by an OpenSSH (or Sun SSH) server if it receives more failed 
authentication attempts than it is willing to tolerate. This can easily happen if you are using 
Pageant and have a large number of keys loaded into it. This can be worked around on the server by 
disabling public-key authentication or (for Sun SSH only) by increasing MaxAuthTries in 
sshd_config. Neither of these is a really satisfactory solution, and we hope to provide a better one in 
a future version of PuTTY. 
 
You might not want to implement a MaxAuthTries, but at least something must be done so that 
broken clients can connect (and asking the user to remove some keys from their agent is not it 
IMHO). 
 
Thanks!

Comment 1 Markus Friedl 2003-05-13 04:21:29 AEST

we just changed the openssh client to try the agent key
in order of preference (instead of randomly), but this
only helps for openssh clients....

Comment 2 Damien Miller 2003-05-14 22:21:25 AEST

FYI if you still need this, it is a very easy patch to make (grep for AUTH_FAIL_MAX)

Comment 3 Wout Mertens 2003-05-15 05:03:05 AEST

Well, yes, and this is what I did, but it's not really a good solution imho. 
 
I mean, the fact that Sun implements it, means that Sun thought it was worth implementing, even 
as a stop-gat measure. Do you think there is a way to get around this error when it's legitimate?

Comment 4 Darren Tucker 2003-09-05 15:00:55 AEST

Created attachment 382 [details]
Implement MaxAuthTries, patch against OpenBSD.

Would something like this be accepted for OpenBSD?  If so I'll do the man page
for it.

Comment 5 Darren Tucker 2004-03-13 00:54:22 AEDT

Just need to add MaxAuthTriesLog and man page entries...  (after the 3.8.1
release, that is)

Comment 6 Darren Tucker 2004-05-03 11:46:21 AEST

Created attachment 623 [details]
Add MaxAuthTries and MaxAuthTriesLog, patch against OpenBSD

Comment 7 Darren Tucker 2004-05-03 11:47:18 AEST

Target for 3.9

Comment 8 Darren Tucker 2004-05-17 10:15:20 AEST

Created attachment 636 [details]
Update patch to -current, add to example sshd_config

Comment 9 Darren Tucker 2004-05-24 10:43:50 AEST

This has just been added (MaxAuthTries only, not MaxAuthTriesLog), and will be
in tomorrow's snapshot and the next major release.  Thanks for the report.