Re: "too many auth failures"?

To: Nicolas Williams <Nicolas.Williams%oracle.com@localhost>
Subject: Re: "too many auth failures"?
From: Simon Josefsson <simon%josefsson.org@localhost>
Date: Wed, 27 Oct 2010 08:23:19 +0200

Nicolas Williams <Nicolas.Williams%oracle.com@localhost> writes:

>> (I still think the real problem isn't the server but the client, how's it
>> managing to try six different keys to get to one server?).
>
> Why not?  SSH user public keys are effectively pseudonyms, so you can
> see why users might have many of them.  Nothing wrong with that...  On
> the server side you don't want a client sucking up resources testing
> whether some pubkey or another might work...  so the server says all
> might work and the client has to actually sign with those keys, and the
> server also has to implement resource controls pre-authentication
> (including a timer to disconnect if the client takes too long to
> authenticate).

Isn't this another problem?  Often private keys are protected by a
password or requires a PIN to unlock a smartcard, and iterating to sign
with all keys becomes a user interface issue quickly.  This is how
libssh2 works, and I couldn't think of any way to avoid it.

/Simon

Follow-Ups:
- Re: "too many auth failures"?
  - From: Niels Möller
- Re: "too many auth failures"?
  - From: Nicolas Williams
- Re: "too many auth failures"?
  - From: der Mouse
- Re: "too many auth failures"?
  - From: Peter Gutmann

References:
- Re: "too many auth failures"?
  - From: Nicolas Williams
- Re: "too many auth failures"?
  - From: Peter Gutmann
- Re: "too many auth failures"?
  - From: Nicolas Williams

Prev by Date: Re: "too many auth failures"?
Next by Date: Re: "too many auth failures"?
Previous by Thread: Re: "too many auth failures"?
Next by Thread: Re: "too many auth failures"?
Indexes:

Home | Main Index | Thread Index | Old Index