Re: "too many auth failures"?

[Nicolas Williams <Nicolas.Williams%oracle.com@localhost>]

On Wed, Oct 27, 2010 at 09:53:39PM +0200, nisse%lysator.liu.se@localhost wrote:
> Simon Josefsson <simon%josefsson.org@localhost> writes:
> > Often private keys are protected by a password or requires a PIN to
> > unlock a smartcard, and iterating to sign with all keys becomes a user
> > interface issue quickly.
> 
> As far as I understand, the possibility to send a
> SSH_MSG_USERAUTH_REQUEST without a signature in it is intended to solve
> precisely this problem.

But some servers always answer that query positively.

A better solution is to have ssh-agent-like facilities that can use your
smartcard/token, and to which you give your PIN.  Certainly there's no
way to prevent the advent of such agents.

> The client can store the *public* keys somewhere where you don't need
> any user interaction to retrieve them, send a bunch of userauth requests
> with these keys and no signatures. When you get a SSH_MSG_USERAUTH_PK_OK
> response from the server, you ask the user to unlock the corresponding
> private key and send a single SSH_MSG_USERAUTH_REQUEST with both key and
> signature. This shouldn't have to cost more than a single network
> roundtrip, independent of the number of public keys.

Even so users won't like having to interact even that much.

> (Since I'd consider that client behaviour perfectly normal, I also think
> that the server should *not* increment the failure counter when sending
> a SSH_MSG_USERAUTH_PK_OK).

Yes.