> On 10 Sep 2025, at 22:12, Brian Candler <b.candler@xxxxxxxxx> wrote:
>
> On 10/09/2025 20:56, hvjunk wrote:
>> [preauth]
>>
>> seems in the archives, ssh-copy-id is not defined as a well behaved client ;(
>
> Apparently so. I'd say it's worth investigating what's going on. It is only a shell script: "#!/bin/sh -x" at the top may tell you more.
Simple algorithm:
(a) get a list of keys using: ssh-add -L
(b) iterate over the list attempting to login with each key separately, using a separate login/ssh session/connection
(c) Found any key that “worked”?
YES: use that key to dump the set of keys that didn’t work into ~/.ssh/authorized_keys
NO: normal ssh session going through the normal logins
Usually C:NO is when I just type in the password and continue.
With some pre-provisioned cases that only allows a single key, the C:YES case would dump the rest of the SSH keys.
Nothing… untoward, just triggering this problem on 10.0 (I guess I might’ve picked it up on 9.8 IF I was using/deploying a new Ubuntu 24.04 perhaps Debian 12 in the previous 2 months.
>> a) Where/how do I set/change the “min” threshold value that is mentioned?
>> I see a default 15sec mentioned, but nothing in sshd_config that looks like min threshold for penalties
>
> I've not tried it myself, but it appears to be documented under PerSourcePenalities: min:<duration>
source?
> so I would expect something like
>
> PerSourcePenalties min:60s
>
> You could also look at the output of "sshd -T", which trying with 10.0p2 from homebrew shows:
>
> persourcepenalties crash:90 authfail:5 noauth:1 grace-exceeded:10 refuseconnection:10 max:600 min:15 max-sources4:65536 max-sources6:65536 overflow:permissive overflow6:permissive
Thank you!!
On the PVE9/Deb13:
persourcepenalties crash:90 authfail:5 noauth:1 grace-exceeded:10 refuseconnection:10 max:600 min:15 max-sources4:65536 max-sources6:65536 overflow:permissive overflow6:permissive
>> b) Which values should I tune for the “preauthorisation” failures that ssh-copy-id triggers? Ie. how do I make them trigger more frequently before penalty threshold
>
> I would have guessed noauth:<duration> ("specifies how long to refuse clients that disconnect without attempting authentication"). But since the default is 1s, and the default min penalty is 15s, I would expect at least 15 such disconnections to be required.
Nope, seems that in this case, it is authfail:5 that after the 4th key check exceeds the min:15
> Again, really need to dig down further into what exactly ssh-copy-id is doing.
just in quick SUCCESION, ssh-copy-id checks ssh keys, one per session, triggering authfails ([preauth]) (REason it checks all is as mentioned before, some keys might be in LDAP/etc. so not needed/wanted in ~/.ssh/authorized_keys )
So the solution*S*:
1 fix sshd_config
(a) bigger min:<arg> where <arg>/authfail(5) > the number of ssh keys ssh-copy-id needs to not yet in databases
(b) drop authfail:<arg> (Similar argument as above)
((c) bit of each :)
2. PAtch ssh-copy-id
in the filer_ids() procedure, add a "sleep 5” to totally “time out” the 5s from authfail
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
