# openssh, MaxAuthTries does not disconnect anymore [solved]

## tomm73

Hello,

I have been using sshd with key and passphrase for a long time. I always had MaxAuthTries set to "1", so I got

disconnected after the second failure. I did not change anything beside the normal gentoo updates. 

Now "out of nowhere" I have unlimited tries for the passphrase if correct user name is given.

It is possible to see what username exists, this is not acceptable. I have no idea where to look at    :Sad: 

Example:

----------------------------------------------------

login as: user-that-exists

Authenticating with public key "imported-openssh-key"

Passphrase for key "imported-openssh-key":

Wrong passphrase

Passphrase for key "imported-openssh-key":

Wrong passphrase

Passphrase for key "imported-openssh-key":

Wrong passphrase

Passphrase for key "imported-openssh-key":

Wrong passphrase

Passphrase for key "imported-openssh-key":

Wrong passphrase

... (unlimited)

----------------------------------------------------

login as: user-that-NOT-exists

Server send disconnect-message:

"Too many authentication failures for user-that-NOT-exists"

----------------------------------------------------

net-misc/openssh-5.1_p1-r2  USE="pam tcpd -X -X509 -hpn -kerberos -ldap -libedit (-selinux) -skey -smartcard -static"

Here is my ssd_conf:

Port 22

ListenAddress xxx.xxx.xxx.xxx

Protocol 2

SyslogFacility AUTH

LogLevel INFO

LoginGraceTime 1m

PermitRootLogin no

MaxAuthTries 1

MaxSessions 3

MaxStartups 5

PubkeyAuthentication yes

AuthorizedKeysFile      .ssh/authorized_keys

IgnoreRhosts yes

PasswordAuthentication no

ChallengeResponseAuthentication no

UsePAM no

AllowTcpForwarding yes

PrintMotd yes

PrintLastLog yes

TCPKeepAlive yes

UseDNS yes

PidFile /var/run/sshd.pid

Subsystem       sftp    /usr/lib/misc/sftp-serverLast edited by tomm73 on Thu Feb 26, 2009 5:58 pm; edited 1 time in total

----------

## gentoo_ram

When it asks you for the passphrase of the key, that is happening locally on the machine running the ssh client.  It's not contacting the server.  Once you decode the key file locally, then it will contact the server and the MaxAuthTries will be in effect.

----------

## tomm73

Ah okay. Good to know!  Thank you!

----------

