Re: "too many auth failures"?

To: der Mouse <mouse%Rodents-Montreal.ORG@localhost>
Subject: Re: "too many auth failures"?
From: Nicolas Williams <Nicolas.Williams%oracle.com@localhost>
Date: Tue, 26 Oct 2010 13:35:12 -0500

On Tue, Oct 26, 2010 at 02:20:27PM -0400, der Mouse wrote:
> I recently ran into some ssh behaviour that strikes me as broken and
> thought I'd see what the list thought.

Yes, I've seen this a lot.

Some implementations treat all userauth method failures as contributing
equally to a max-failures counter.  This is really, really wrong.  Only
"password" and "keyboard-interactive" failures should count for the
traditional max-failures counter, with a separate counter for GSS,
pubkey, and hostbased userauth.

What's really galling is that "none" failures also count -- there's too
many clients that start by attempting "none" userauth.  And, of course,
clients try the non-interactive/ password methods first, as you'd
expect.

So you might have 1 "none" failure, 2 "hostbased" failures (if the
client has DSS and RSA keys), N "publickey" failures, and never get to
"keyboard-interactive" nor "password" userauth.  If the server has a 6
failures max counter your client will get disconnected when it tries the
third publickey that is rejected.

Whenever I run into such a server I have to resort to enabling only the
userauth method I expect to see succeed.  I hate having to do that.

I also hate the fact that keyex is not re-tryiable.

I'm all for publishing an RFC saying "don't do such stupid things".

Nico
--

Follow-Ups:
- Re: "too many auth failures"?
  - From: Peter Gutmann

References:
- "too many auth failures"?
  - From: der Mouse

Prev by Date: "too many auth failures"?
Next by Date: Re: "too many auth failures"?
Previous by Thread: "too many auth failures"?
Next by Thread: Re: "too many auth failures"?
Indexes:

Home | Main Index | Thread Index | Old Index