IETF-SSH archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: "too many auth failures"?



>> So, thoughts?  Am I missing something, or is this really as
>> ill-behaved as I think?
> I don't think it is.  If you've set the server up to allow three
> tries at auth then you get three tries (I'm assuming it's set up to
> allow six here, which is a bit non-traditional, I would have expected
> three).

I didn't set it up; this is, as far as I know, out-of-the-box vendor
defaults for the system in question.

> Stepping back a bit, why are you sending *six* keys to the server?
> Shouldn't the client know which key it's supposed to use?

How should it know that?  It's got four keys in the agent; when they're
exhausted, it tries the two it finds in files.  I could have configured
it differently, but, since I didn't give it any particular
configuration, it has no reason to think any key is more likely to work
than any other.

As for retries, I conjecture that the retry limit is something more
normal like three or five, but, while the implementation counts
publickey failures (or, more precisely, keys offered which the server
finds unacceptable) against the limit, it doesn't actually *test* the
limit until the client tries to use keyboard-interactive.

But that's just conjecture.

/~\ The ASCII				  Mouse
\ / Ribbon Campaign
 X  Against HTML		mouse%rodents-montreal.org@localhost
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B



Home | Main Index | Thread Index | Old Index