Re: "too many auth failures"?

To: Peter Gutmann <pgut001%cs.auckland.ac.nz@localhost>
Subject: Re: "too many auth failures"?
From: Nicolas Williams <Nicolas.Williams%oracle.com@localhost>
Date: Wed, 27 Oct 2010 00:23:04 -0500

On Wed, Oct 27, 2010 at 03:05:07PM +1300, Peter Gutmann wrote:
> der Mouse <mouse%Rodents-Montreal.ORG@localhost> writes:
> 
> >So, thoughts?  Am I missing something, or is this really as ill-behaved as I
> >think?
> 
> I don't think it is.  If you've set the server up to allow three tries at auth
> then you get three tries (I'm assuming it's set up to allow six here, which is
> a bit non-traditional, I would have expected three).  Stepping back a bit, why
> are you sending *six* keys to the server?  Shouldn't the client know which key
> it's supposed to use?  It seems more like the client is broken than the
> server.

My view is that servers should have two failure counters: one for
password and keyboard-interactive, another one for all others.

Nico
--

Follow-Ups:
- Re: "too many auth failures"?
  - From: Peter Gutmann

References:
- "too many auth failures"?
  - From: der Mouse
- Re: "too many auth failures"?
  - From: Peter Gutmann

Prev by Date: Re: "too many auth failures"?
Next by Date: Re: "too many auth failures"?
Previous by Thread: Re: "too many auth failures"?
Next by Thread: Re: "too many auth failures"?
Indexes:

Home | Main Index | Thread Index | Old Index