openssh-client: "Too many authentication failures" with the 7th private key identity
Control: reassign -1 openssh-client 1:7.6p1-2
Control: severity -1 important
Control: retitle -1 openssh-client: "Too many authentication failures" with the 7th identity
On 2017-12-11 12:37:11 +0100, Vincent Lefevre wrote:
> Package: subversion
> Version: 1.9.7-3
> Severity: grave
> Justification: renders package unusable
>
> Just after the upgrade to 1.9.7-3, "svn+ssh:" is now unusable,
> at least with some servers. This is a major regression.
>
> Before the upgrade, on the server side:
>
> Dec 11 12:16:28 joooj sshd[12206]: Postponed publickey for svn from 140.77.13.17 port 36508 ssh2 [preauth]
> Dec 11 12:16:28 joooj sshd[12206]: Accepted publickey for svn from 140.77.13.17 port 36508 ssh2: RSA SHA256:SesJlF53vo9BluX48f4cBF+NnHhzpgQRqXa629zs6P0
> Dec 11 12:16:28 joooj sshd[12206]: pam_unix(sshd:session): session opened for user svn by (uid=0)
> Dec 11 12:16:28 joooj svnserve: DIGEST-MD5 common mech free
> Dec 11 12:16:28 joooj sshd[12213]: Received disconnect from 140.77.13.17 port 36508:11: disconnected by user
> Dec 11 12:16:28 joooj sshd[12213]: Disconnected from 140.77.13.17 port 36508
> Dec 11 12:16:28 joooj sshd[12206]: pam_unix(sshd:session): session closed for user svn
>
> After the upgrade, on the server side:
>
> Dec 11 12:18:52 joooj sshd[12242]: error: maximum authentication attempts exceeded for svn from 140.77.13.17 port 38542 ssh2 [preauth]
> Dec 11 12:18:52 joooj sshd[12242]: Disconnecting: Too many authentication failures [preauth]
>
> Note: openssh-client is still the same version, so that what seems to
> trigger the failure is the subversion upgrade.
>
> I'll try to downgrade...
The downgrade had no effect. But I've found the cause of the problem,
which is in OpenSSH. What happened in the following: after the
upgrade, I had to reboot. But in the mean time, I had added a new
SSH private key identity (~.ssh/id_rsa-...), which was taken into
account only after the reboot. A "ssh-add -l" shows the 7 identities,
id_rsa-svn being the last one.
If I try again without the new SSH private key identity, everything
works fine.
--
Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
Reply to: