561 – Please implement MaxAuthTries

Bug 561 - Please implement MaxAuthTries

Summary: Please implement MaxAuthTries

Status:	CLOSED FIXED

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	sshd (show other bugs)
Version:	-current
Hardware:	All All

Importance:	P2 enhancement
Assignee:	OpenSSH Bugzilla mailing list

URL:
Keywords:	low-hanging-fruit, openbsd, patch

Depends on:
Blocks:	822
	Show dependency tree / graph

Reported:	2003-05-13 00:53 AEST by Wout Mertens
Modified:	2004-09-11 13:18 AEST (History)
CC List:	0 users

See Also:

Attachments
Implement MaxAuthTries, patch against OpenBSD. (5.01 KB, patch) 2003-09-05 15:00 AEST, Darren Tucker	no flags	Details \| Diff
Add MaxAuthTries and MaxAuthTriesLog, patch against OpenBSD (5.96 KB, patch) 2004-05-03 11:46 AEST, Darren Tucker	no flags	Details \| Diff
Update patch to -current, add to example sshd_config (6.40 KB, patch) 2004-05-17 10:15 AEST, Darren Tucker	no flags	Details \| Diff
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Wout Mertens 2003-05-13 00:53:19 AEST

Hi, 
 
When using Commercial SSH to connect to OpenSSH, it can happen that a user has many keys 
and this results in a failure to log in due to "Too many authentication failures". 
 
The problem is documented at http://www.tartarus.org/~simon/puttydoc/Chapter10.html#10.5 : 
 
10.5 "Server sent disconnect message type 2 (SSH_DISCONNECT_PROTOCOL_ERROR): 
"Too many authentication failures for root"" 
 
  
 
This message is produced by an OpenSSH (or Sun SSH) server if it receives more failed 
authentication attempts than it is willing to tolerate. This can easily happen if you are using 
Pageant and have a large number of keys loaded into it. This can be worked around on the server by 
disabling public-key authentication or (for Sun SSH only) by increasing MaxAuthTries in 
sshd_config. Neither of these is a really satisfactory solution, and we hope to provide a better one in 
a future version of PuTTY. 
 
You might not want to implement a MaxAuthTries, but at least something must be done so that 
broken clients can connect (and asking the user to remove some keys from their agent is not it 
IMHO). 
 
Thanks!

Comment 1 Markus Friedl 2003-05-13 04:21:29 AEST

we just changed the openssh client to try the agent key
in order of preference (instead of randomly), but this
only helps for openssh clients....

Comment 2 Damien Miller 2003-05-14 22:21:25 AEST

FYI if you still need this, it is a very easy patch to make (grep for AUTH_FAIL_MAX)

Comment 3 Wout Mertens 2003-05-15 05:03:05 AEST

Well, yes, and this is what I did, but it's not really a good solution imho. 
 
I mean, the fact that Sun implements it, means that Sun thought it was worth implementing, even 
as a stop-gat measure. Do you think there is a way to get around this error when it's legitimate?

Comment 4 Darren Tucker 2003-09-05 15:00:55 AEST

Created attachment 382 [details]
Implement MaxAuthTries, patch against OpenBSD.

Would something like this be accepted for OpenBSD?  If so I'll do the man page
for it.

Comment 5 Darren Tucker 2004-03-13 00:54:22 AEDT

Just need to add MaxAuthTriesLog and man page entries...  (after the 3.8.1
release, that is)

Comment 6 Darren Tucker 2004-05-03 11:46:21 AEST

Created attachment 623 [details]
Add MaxAuthTries and MaxAuthTriesLog, patch against OpenBSD

Comment 7 Darren Tucker 2004-05-03 11:47:18 AEST

Target for 3.9

Comment 8 Darren Tucker 2004-05-17 10:15:20 AEST

Created attachment 636 [details]
Update patch to -current, add to example sshd_config

Comment 9 Darren Tucker 2004-05-24 10:43:50 AEST

This has just been added (MaxAuthTries only, not MaxAuthTriesLog), and will be
in tomorrow's snapshot and the next major release.  Thanks for the report.