Re: "too many auth failures"?

To: ietf-ssh%netbsd.org@localhost
Subject: Re: "too many auth failures"?
From: der Mouse <mouse%Rodents-Montreal.ORG@localhost>
Date: Wed, 27 Oct 2010 10:34:35 -0400 (EDT)

>> [trying six publickey keys]
> On the server side you don't want a client sucking up resources
> testing whether some pubkey or another might work...

That's actually a relatively cheap operation on most servers, and ssh
specifically supports it: see the first form of
SSH_MSG_USERAUTH_REQUEST (RFC4252, section 7).

> so the server says all might work and the client has to actually sign
> with those keys,

This was not the behaviour I saw.  My packet traces show the server
refusing the keys without asking the client to perform PK operations,
and my agent has an interface that, among other things, prints
something every time it actually performs a publickey operation, which
didn't show anything during my failed login attempts.

> and the server also has to implement resource controls
> pre-authentication (including a timer to disconnect if the client
> takes too long to authenticate).

The delay from my attempting the login to my getting the failure was
less than any reasonable timeout - less than the time it would take for
me to type a password I didn't know by heart, certainly.

/~\ The ASCII				  Mouse
\ / Ribbon Campaign
 X  Against HTML		mouse%rodents-montreal.org@localhost
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B

References:
- Re: "too many auth failures"?
  - From: Nicolas Williams
- Re: "too many auth failures"?
  - From: Peter Gutmann
- Re: "too many auth failures"?
  - From: Nicolas Williams

Prev by Date: Re: "too many auth failures"?
Next by Date: Re: "too many auth failures"?
Previous by Thread: Re: "too many auth failures"?
Next by Thread: Re: "too many auth failures"?
Indexes:

Home | Main Index | Thread Index | Old Index