IETF-SSH archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: "too many auth failures"?



On Wed, Oct 27, 2010 at 02:07:18PM -0500, Nicolas Williams wrote:
> On Wed, Oct 27, 2010 at 08:23:19AM +0200, Simon Josefsson wrote:
> > Nicolas Williams <Nicolas.Williams%oracle.com@localhost> writes:
> > 
> > >> (I still think the real problem isn't the server but the client, how's it
> > >> managing to try six different keys to get to one server?).
> > >
> > > Why not?  SSH user public keys are effectively pseudonyms, so you can
> > > see why users might have many of them.  Nothing wrong with that...  On
> > > the server side you don't want a client sucking up resources testing
> > > whether some pubkey or another might work...  so the server says all
> > > might work and the client has to actually sign with those keys, and the
> > > server also has to implement resource controls pre-authentication
> > > (including a timer to disconnect if the client takes too long to
> > > authenticate).
> > 
> > Isn't this another problem?  Often private keys are protected by a
> > password or requires a PIN to unlock a smartcard, and iterating to sign
> > with all keys becomes a user interface issue quickly.  This is how
> > libssh2 works, and I couldn't think of any way to avoid it.
> 
> That's a client-side issue.  We're talking about server-side max try
> counters.

Also, you could refuse to enter a PIN to get the key skipped...  You
could specify what key to use...  You could specify to not use any keys.
You could use an agent that gets the PIN.



Home | Main Index | Thread Index | Old Index