On Mon, 9 Dec 2024, Dmitry Belyavskiy wrote: > Dear colleagues, > > Can we somehow improve the UX related to a relatively freshly > introduced PerSourcePenalties option? > > A popular pattern implies installation of the users' keys to a freshly > installed machine using ssh-copy-id script. The default settings don't > allow this command to work normally and causes login failures. > > A reasonable workaround could be adding some threshold for a number of > failures before the penalties are applied. That's how the penalty system works now. Can you provide an example session that is failing? The default threshold is three authentication failures in a fifteen second period. I guess you have more keys than that? IMO it's probably ssh-copy-id that needs to change. It looks like it filters public keys by trying them against a target host. IMO it should check them directly against authorized_keys on the target system, as that wouldn't cause login failures and will result in less logspam for server operators. -d _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev