Re: PerSourcePenalties and ssh-copy-id

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Mon, 9 Dec 2024, Dmitry Belyavskiy wrote:

> Dear colleagues,
> 
> Can we somehow improve the UX related to a relatively freshly
> introduced PerSourcePenalties option?
> 
> A popular pattern implies installation of the users' keys to a freshly
> installed machine using ssh-copy-id script. The default settings don't
> allow this command to work normally and causes login failures.
> 
> A reasonable workaround could be adding some threshold for a number of
> failures before the penalties are applied.

That's how the penalty system works now.

Can you provide an example session that is failing? The default threshold
is three authentication failures in a fifteen second period. I guess you
have more keys than that?

IMO it's probably ssh-copy-id that needs to change. It looks like it
filters public keys by trying them against a target host. IMO it should
check them directly against authorized_keys on the target system, as
that wouldn't cause login failures and will result in less logspam for
server operators.

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux