openssh-client: "Too many authentication failures" with the 7th private key identity

To: 884096@bugs.debian.org
Cc: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Subject: openssh-client: "Too many authentication failures" with the 7th private key identity
From: Vincent Lefevre <vincent@vinc17.net>
Date: Mon, 11 Dec 2017 13:14:55 +0100
Message-id: <[🔎] 20171211121455.GA4053@cventin.lip.ens-lyon.fr>
In-reply-to: <20171211113711.GA2358@cventin.lip.ens-lyon.fr>
References: <20171211113711.GA2358@cventin.lip.ens-lyon.fr>

Control: reassign -1 openssh-client 1:7.6p1-2
Control: severity -1 important
Control: retitle -1 openssh-client: "Too many authentication failures" with the 7th identity

On 2017-12-11 12:37:11 +0100, Vincent Lefevre wrote:
> Package: subversion
> Version: 1.9.7-3
> Severity: grave
> Justification: renders package unusable
> 
> Just after the upgrade to 1.9.7-3, "svn+ssh:" is now unusable,
> at least with some servers. This is a major regression.
> 
> Before the upgrade, on the server side:
> 
> Dec 11 12:16:28 joooj sshd[12206]: Postponed publickey for svn from 140.77.13.17 port 36508 ssh2 [preauth]
> Dec 11 12:16:28 joooj sshd[12206]: Accepted publickey for svn from 140.77.13.17 port 36508 ssh2: RSA SHA256:SesJlF53vo9BluX48f4cBF+NnHhzpgQRqXa629zs6P0
> Dec 11 12:16:28 joooj sshd[12206]: pam_unix(sshd:session): session opened for user svn by (uid=0)
> Dec 11 12:16:28 joooj svnserve: DIGEST-MD5 common mech free
> Dec 11 12:16:28 joooj sshd[12213]: Received disconnect from 140.77.13.17 port 36508:11: disconnected by user
> Dec 11 12:16:28 joooj sshd[12213]: Disconnected from 140.77.13.17 port 36508
> Dec 11 12:16:28 joooj sshd[12206]: pam_unix(sshd:session): session closed for user svn
> 
> After the upgrade, on the server side:
> 
> Dec 11 12:18:52 joooj sshd[12242]: error: maximum authentication attempts exceeded for svn from 140.77.13.17 port 38542 ssh2 [preauth]
> Dec 11 12:18:52 joooj sshd[12242]: Disconnecting: Too many authentication failures [preauth]
> 
> Note: openssh-client is still the same version, so that what seems to
> trigger the failure is the subversion upgrade.
> 
> I'll try to downgrade...

The downgrade had no effect. But I've found the cause of the problem,
which is in OpenSSH. What happened in the following: after the
upgrade, I had to reboot. But in the mean time, I had added a new
SSH private key identity (~.ssh/id_rsa-...), which was taken into
account only after the reboot. A "ssh-add -l" shows the 7 identities,
id_rsa-svn being the last one.

If I try again without the new SSH private key identity, everything
works fine.

-- 
Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Reply to:

Follow-Ups:
- Bug#884096: openssh-client: "Too many authentication failures" with the 7th private key identity
  - From: Vincent Lefevre <vincent@vinc17.net>

Prev by Date: Processed: openssh-client: "Too many authentication failures" with the 7th private key identity
Next by Date: Bug#884096: openssh-client: "Too many authentication failures" with the 7th private key identity
Previous by thread: Bug#745778: openssh-server/permit-root-login should be honored for new installs too
Next by thread: Processed: openssh-client: "Too many authentication failures" with the 7th private key identity
Index(es):
- Date
- Thread