Re: "too many auth failures"?

[Nicolas Williams <Nicolas.Williams%oracle.com@localhost>]

On Wed, Oct 27, 2010 at 02:07:18PM -0500, Nicolas Williams wrote:
> On Wed, Oct 27, 2010 at 08:23:19AM +0200, Simon Josefsson wrote:
> > Nicolas Williams <Nicolas.Williams%oracle.com@localhost> writes:
> > 
> > >> (I still think the real problem isn't the server but the client, how's it
> > >> managing to try six different keys to get to one server?).
> > >
> > > Why not?  SSH user public keys are effectively pseudonyms, so you can
> > > see why users might have many of them.  Nothing wrong with that...  On
> > > the server side you don't want a client sucking up resources testing
> > > whether some pubkey or another might work...  so the server says all
> > > might work and the client has to actually sign with those keys, and the
> > > server also has to implement resource controls pre-authentication
> > > (including a timer to disconnect if the client takes too long to
> > > authenticate).
> > 
> > Isn't this another problem?  Often private keys are protected by a
> > password or requires a PIN to unlock a smartcard, and iterating to sign
> > with all keys becomes a user interface issue quickly.  This is how
> > libssh2 works, and I couldn't think of any way to avoid it.
> 
> That's a client-side issue.  We're talking about server-side max try
> counters.

Also, you could refuse to enter a PIN to get the key skipped...  You
could specify what key to use...  You could specify to not use any keys.
You could use an agent that gets the PIN.