Re: (PerSource)Penalties default perhaps too aggressive?

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 

On 10/09/2025 20:56, hvjunk wrote:

[preauth]


[Sep 10 21:38:22 fatm sshd-session[1518057]: Connection closed by authenticating user root 10.1.10.144 port 57153 [preauth]
Sep 10 21:38:23 fatm sshd-session[1518059]: Connection closed by authenticating user root 10.1.10.144 port 57154 [preauth]
Sep 10 21:38:23 fatm sshd-session[1518061]: Connection closed by authenticating user root 10.1.10.144 port 57157 [preauth]
Sep 10 21:38:23 fatm sshd-session[1518063]: Connection closed by authenticating user root 10.1.10.144 port 57160 [preauth]
Sep 10 21:38:23 fatm sshd-session[1518081]: Connection closed by authenticating user root 10.1.10.144 port 57161 [preauth]
Sep 10 21:38:23 fatm sshd[1517637]: drop connection #0 from [10.1.10.144]:57162 on [10.1.11.11]:22 penalty: failed authentication



There are certain conditions that count against the client, such as failed authentication, clients that disconnect without attempting authentication, clients that wait longer that LoginGraceTime before authenticating, and so on. But AFAIK, a well-behaved client should not be penalised.

seems in the archives, ssh-copy-id is not defined as a well behaved client ;(
Apparently so. I'd say it's worth investigating what's going on. It is only a shell script: "#!/bin/sh -x" at the top may tell you more. 




a) Where/how do I set/change the “min” threshold value that is mentioned?
  I see a default 15sec mentioned, but nothing in sshd_config that looks like min threshold for penalties
I've not tried it myself, but it appears to be documented under PerSourcePenalities:  min:<duration> 

so I would expect something like

PerSourcePenalties min:60s
You could also look at the output of "sshd -T", which trying with 10.0p2 from homebrew shows:
persourcepenalties crash:90 authfail:5 noauth:1 grace-exceeded:10 refuseconnection:10 max:600 min:15 max-sources4:65536 max-sources6:65536 overflow:permissive overflow6:permissive 




b) Which values should I tune for the “preauthorisation” failures that ssh-copy-id triggers? Ie. how do I make them trigger more frequently before penalty threshold
I would have guessed noauth:<duration> ("specifies how long to refuse clients that disconnect without attempting authentication").  But since the default is 1s, and the default min penalty is 15s, I would expect at least 15 such disconnections to be required.
Again, really need to dig down further into what exactly ssh-copy-id is doing. 
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux