Re: PerSourcePenalties and ssh-copy-id

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Damien Miller <djm@xxxxxxxxxxx> writes:

> On Mon, 9 Dec 2024, Dmitry Belyavskiy wrote:
>
>> Dear colleagues,
>> 
>> Can we somehow improve the UX related to a relatively freshly
>> introduced PerSourcePenalties option?
>> 
>> A popular pattern implies installation of the users' keys to a freshly
>> installed machine using ssh-copy-id script. The default settings don't
>> allow this command to work normally and causes login failures.
>> 
>> A reasonable workaround could be adding some threshold for a number of
>> failures before the penalties are applied.
>
> That's how the penalty system works now.
>
> Can you provide an example session that is failing? The default threshold
> is three authentication failures in a fifteen second period. I guess you
> have more keys than that?

I just bumped into this for ssh-copy-id's CI tests, which broke because
the tests launch loads of intentionally failing login attempts, and then
try a few that are supposed to work (so I'm now disabling
PerSourcePenalties for the test server).

> IMO it's probably ssh-copy-id that needs to change. It looks like it
> filters public keys by trying them against a target host.

That is indeed how it currently works.

> IMO it should check them directly against authorized_keys on the
> target system,

It's not clear to me how that can be reliably achieved.  People quite
often add keys via other means, like getting them from LDAP, or having a
system-wide config in addition to the keys in authorized_keys, and
that's for things where the other end is openssh.

ssh-copy-id is also supposed to work for things that are not running
openssh, like dropbear, so I'm not sure what assumptions I can safely
make about what the other end is doing to handle keys.

> as that wouldn't cause login failures and will result in less logspam
> for server operators.

What I could do is notice when people have too many keys, and warn about
the possibility that they'll get locked out.  I may well be doing
multiple redundant attempts with the same key (I'll have to check on
that) in which case I could try harder to only test any key once.

I guess for people that have many keys to test, I could take note of how
many failures I get, and could then introduce a delay between the tests
to avoid triggering the default settings.

Can one reset the penalty system's count by having a successful login?

If so I could make a point of logging-in with a working key in between
the key tests (or initiating a password-based login if we don't yet have
a working key, although that seems likely to be a pain for the user --
getting at least one key installed early seems like the way to go)

Cheers, Phil.
-- 
Philip Hands -- https://hands.com/~phil

Attachment: signature.asc
Description: PGP signature

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux