LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 03-15-2017, 10:59 AM   #1
taylorkh
Senior Member
 
Registered: Jul 2006
Location: North Carolina
Distribution: CentOS 6, CentOS 7 (with Mate), Ubuntu 16.04 Mate
Posts: 2,057

Rep: Reputation: 165Reputation: 165
Received disconnect from 192.168.0.123: 2: Too many authentication failures


I am running CentOS 7.3 + X Windows system + Mate-desktop on all of my systems except for a couple of old 32 bit boxes which have Ubuntu 16.04 Mate. On my main workstation I created ssh keys to various other machines using Seahorse. The first 5 were created with no problem. On the 6th attempt I received an error such as the example in the subject when I attempted to setup the key on the remote machine.

I determined that if I uncommented the #MaxAuthTries line in /etc/ssh/sshd_conf file on the remote machine, bumped up the number to 6 and restarted sshd, I could create the key. On the next machine I had to bump it to 7 etc. I reported this as a bug in Seahorse - still waiting for a response from the project.

I also noticed that if I attempt to connect with ssh to the 6th machine - the one with "MaxAuthTries 6" - after creating the 7th key I again get the "too many" error. It seems that the ssh command in a terminal is trying all of the available keys to access the remote computer instead of the correct key for that server.

I have set MaxAuthTries to 10 on all of my machines which eliminates the symptom. However, I do not think it resolves the underlying issue.

Is there something I need to configure on the workstation which is initiating the connections?

TIA,

Ken
 
Old 03-15-2017, 11:16 AM   #2
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,516
Blog Entries: 3

Rep: Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784
Quote:
Originally Posted by taylorkh View Post
I also noticed that if I attempt to connect with ssh to the 6th machine - the one with "MaxAuthTries 6" - after creating the 7th key I again get the "too many" error. It seems that the ssh command in a terminal is trying all of the available keys to access the remote computer instead of the correct key for that server.
It's a problem with how the agents work currently. There is no way they have to work out which key should be offered to which server, so they just start trying keys. What might work is to add entries in ~/.ssh/config for each remote host and set IdentitiesOnly to "yes" and point IdentityFile to the right private key.

Code:
Host foo
        HostName 203.0.113.43
        IdentitiesOnly yes
        IdentityFile ~/.ssh/foo_rsa_key

Host bar
        HostName 203.0.113.107
        IdentitiesOnly yes
        IdentityFile ~/.ssh/bar_rsa_key

Host baz
        HostName 203.0.113.139
        IdentitiesOnly yes
        IdentityFile ~/.ssh/baz_rsa_key

Host *
        ServerAliveInterval 60
        ServerAliveCountMax 3
 
1 members found this post helpful.
Old 03-15-2017, 11:40 AM   #3
taylorkh
Senior Member
 
Registered: Jul 2006
Location: North Carolina
Distribution: CentOS 6, CentOS 7 (with Mate), Ubuntu 16.04 Mate
Posts: 2,057

Original Poster
Rep: Reputation: 165Reputation: 165
Thanks Turbocapitalist,

That confirms my observations. I may try adding the entries as you describe.

Ken
 
Old 03-15-2017, 11:44 AM   #4
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,078
Blog Entries: 4

Rep: Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187
Turbocapitalist, I just posted a moderator-note ... praising this reply ... to the effect that "bits of wisdom like the foregoing ought to be put into a sticky topic at the top of this forum."

I suggested a thread title: "Security Tips, Tricks, and Folk Wisdom."

Everyone who has "more than so-many SSH servers and therefore keys to deal with" has bumped into this issue. But, I find very little discussion of it.

LQ needs a sticky thread ... "If you want to minimize security-related ... and of course you do ... read this thread!"

Last edited by sundialsvcs; 03-15-2017 at 11:46 AM.
 
Old 03-15-2017, 12:31 PM   #5
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,516
Blog Entries: 3

Rep: Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784
It's useful but far from perfect because as far as I know you have to keep entering the key information.

Currently to still keep the key in the agent, you have to fiddle the MaxAuthTries on the SSH server similar to how taylorkh has started. However, the increased MaxAuthTries can be restricted using a Match block to a single group of users, an individual user, a network,

Code:
Match Group fungames
        MaxAuthTries 20
or some of each.

Code:
Match Group fungames, Address 192.168.1.0/24
        MaxAuthTries 20
It will still clutter the authentication logs with all the failures though.
 
Old 03-15-2017, 01:36 PM   #6
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,516
Blog Entries: 3

Rep: Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784
I just had a chance to check with older (6.6p) and newer (7.4) OpenSSH clients. With the latter, it is seems enough to specify IdentityFile only. Sometime between the two, the client got a lot more adaptable.

Code:
Host foo
        HostName 203.0.113.43
        IdentityFile ~/.ssh/foo_rsa_key
 
Old 03-15-2017, 02:32 PM   #7
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
I get a very similar message in Filezilla, so I have to either modify the target, or
Code:
SSH_AUTH_SOCK=""; filezilla
from a bash terminal. Works for the zilla....

Just sayin'.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] nslookup 192.168.143.10 ( server can't find 10.143.168.192.in-addr.arpa.: NXDOMAIN) mferozbaig Linux - Server 2 05-11-2014 06:08 AM
[SOLVED] iptables 192.168.1.x server, can't ping by 192.168.0.x momok Linux - Security 2 06-02-2011 01:32 AM
[root@wlxxb ~]# telnet 192.168.192.12 25 Trying 192.168.192.12... telnet problem cnhawk386 Linux - Networking 1 10-10-2007 02:50 PM
What route to access daisy chained 2d router 192.168.1.1 after 192.168.0.1 (subnets?) Emmanuel_uk Linux - Networking 6 05-05-2006 01:47 AM
Is someone on my network?! ::ffff:192.168.0.10:ssh ::ffff:192.168.0.:38201 ESTABLISHE ming0 Linux - Security 4 04-12-2005 01:04 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:40 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration