IETF-SSH archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: "too many auth failures"?



>> [trying six publickey keys]
> On the server side you don't want a client sucking up resources
> testing whether some pubkey or another might work...

That's actually a relatively cheap operation on most servers, and ssh
specifically supports it: see the first form of
SSH_MSG_USERAUTH_REQUEST (RFC4252, section 7).

> so the server says all might work and the client has to actually sign
> with those keys,

This was not the behaviour I saw.  My packet traces show the server
refusing the keys without asking the client to perform PK operations,
and my agent has an interface that, among other things, prints
something every time it actually performs a publickey operation, which
didn't show anything during my failed login attempts.

> and the server also has to implement resource controls
> pre-authentication (including a timer to disconnect if the client
> takes too long to authenticate).

The delay from my attempting the login to my getting the failure was
less than any reasonable timeout - less than the time it would take for
me to type a password I didn't know by heart, certainly.

/~\ The ASCII				  Mouse
\ / Ribbon Campaign
 X  Against HTML		mouse%rodents-montreal.org@localhost
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B



Home | Main Index | Thread Index | Old Index