I think there IS value in seperating the MaxAuthTries.
I'd like to set the MaxAuthTries for passwords as low as possible (ie 1 only), since that this the only way to get sensible results from failed-login counters such as pam_tally and pam_abl.
That's a reason for finding out why multiple attempts are only counted once and fixing that, not for adding another knob to sshd.
As you mentioned, my 'agent' may have a lot of publickey's to try.
In this case, I can run out of MaxAuthTries before I get a chance to enter
a password. Sure, I can add the option:
-o PreferredAuthentications=password
but that requires a fair bit of knowledge of ssh, which ordinary
users don't have.
It doesn't require any special knowledge beyond reading the man page.
You can also put it your ~/.ssh/config file (or even have the admin put it in the global config) so you don't have to remember it.
I presume publickeys are less susceptible to 'brute-force' attacks than passwords, so I would be happy to set MaxAuthTries higher for publickey logins (say, 5) than password logins.
(I'd like to be able to tally the publickey logins, too, but that does not appear to be feasible at present.)
You could hack sshd to make a bogus call to pam_authenticate() after other failed non-password auth attempts. That's pretty ugly, though.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement._______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
