Thanks for your detailed bug report.
> 1. Install the current release of `openssh-server`.
Can you please be more specific? The output of `apt policy openssh-
server` on the affected server would be most helpful.
> 3. Exceed the configured number of attempts. For good measure, I
suggest attempting 15 or 20 times.
You mention PuTTY in your bug report. Is that the specific client you
are reproducing this with? Or do you see the same behavior with openssh-
client on an Ubuntu machine?
From an initial look and test, my understanding is that MaxAuthTries is
applied on a *per-connection basis*, and it is not persistent across
multiple connections from the same client. For example, if I continually
attempt to connect to a server with an unauthorized public key, I do not
ever exceed MaxAuthTries (because it is reset on each connection, and my
client is not continually attempting to use that key). However, if I
configure password-based authentication, and increase
NumberOfPasswordPrompts for my client, then I will eventually hit the
limit with incorrect passwords. *However*, I am allowed to try again
once I establish a new connection (i.e. when I run `ssh
ubuntu@${server_ip}` again).
> - `systemctl stop ssh && systemctl stop ssh.socket && pkill -f pam && pkill
> -f ssh && pkill -f ssh-agent && killall ssh && killall sshd && systemctl
> start ssh && systemctl start ssh.socket` (Thoroughness)
> - Rebooted client PCs
> - Verified client passwords
I wonder if the client is configured in a way that it is automatically
trying (many) incorrect credentials before getting to the correct one.
This would give the illusion that the server is storing AuthMaxTries
persistently. Debug-level logs would help answer this question. Can you
please enable debug logs for sshd by running:
$ cat > /etc/ssh/sshd_config.d/log-level.conf << EOF
LogLevel DEBUG
EOF
$ systemctl reload ssh
And then make a connection attempt from the problematic client, and
gather logs with:
$ journalctl -b -u ssh.service --since "1min ago"
Adjust the "--since" time if needed, and take care to redact your logs
if necessary.
** Changed in: openssh (Ubuntu)
Status: New => Incomplete
** Changed in: openssh (Ubuntu)
Importance: Undecided => Medium
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2094529
Title:
Impossible to Reset MaxAuthTries After Lockout
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2094529/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
