On 10/26/2010 20:05, Peter Gutmann wrote:
der Mouse <mouse%Rodents-Montreal.ORG@localhost> writes:
So, thoughts? Am I missing something, or is this really as ill-behaved
as I think?
I don't think it is. If you've set the server up to allow three tries
at auth then you get three tries (I'm assuming it's set up to allow six
here, which is a bit non-traditional, I would have expected three).
Stepping back a bit, why are you sending *six* keys to the server?
Shouldn't the client know which key it's supposed to use? It seems more
like the client is broken than the server.
I don't think the SSH server should count unsigned publickey attempts as
failures, since they aren't really an attempt. There are many
clients that simply try all the keys they know about as unsigned
attempts in an attempt to get connected with less user configuration.
A signed publickey attempt with a bad signature probably should be
counted as a failure though.