Re: "too many auth failures"?

To: Simon Josefsson <simon%josefsson.org@localhost>
Subject: Re: "too many auth failures"?
From: Nicolas Williams <Nicolas.Williams%oracle.com@localhost>
Date: Wed, 27 Oct 2010 14:07:18 -0500

On Wed, Oct 27, 2010 at 08:23:19AM +0200, Simon Josefsson wrote:
> Nicolas Williams <Nicolas.Williams%oracle.com@localhost> writes:
> 
> >> (I still think the real problem isn't the server but the client, how's it
> >> managing to try six different keys to get to one server?).
> >
> > Why not?  SSH user public keys are effectively pseudonyms, so you can
> > see why users might have many of them.  Nothing wrong with that...  On
> > the server side you don't want a client sucking up resources testing
> > whether some pubkey or another might work...  so the server says all
> > might work and the client has to actually sign with those keys, and the
> > server also has to implement resource controls pre-authentication
> > (including a timer to disconnect if the client takes too long to
> > authenticate).
> 
> Isn't this another problem?  Often private keys are protected by a
> password or requires a PIN to unlock a smartcard, and iterating to sign
> with all keys becomes a user interface issue quickly.  This is how
> libssh2 works, and I couldn't think of any way to avoid it.

That's a client-side issue.  We're talking about server-side max try
counters.

Follow-Ups:
- Re: "too many auth failures"?
  - From: Nicolas Williams

References:
- Re: "too many auth failures"?
  - From: Nicolas Williams
- Re: "too many auth failures"?
  - From: Peter Gutmann
- Re: "too many auth failures"?
  - From: Nicolas Williams
- Re: "too many auth failures"?
  - From: Simon Josefsson

Prev by Date: Re: "too many auth failures"?
Next by Date: Re: "too many auth failures"?
Previous by Thread: Re: "too many auth failures"?
Next by Thread: Re: "too many auth failures"?
Indexes:

Home | Main Index | Thread Index | Old Index