#884096 openssh-client: "Too many authentication failures" with the 7th identity

Package:
openssh-client
Source:
openssh
Description:
secure shell (SSH) client, for secure access to remote machines
Submitter:
Vincent Lefevre
Date:
2025-05-12 14:39:03 UTC
Severity:
important
#884096#5
Date:
2017-12-11 11:37:11 UTC
From:
To:
Just after the upgrade to 1.9.7-3, "svn+ssh:" is now unusable,
at least with some servers. This is a major regression.

Before the upgrade, on the server side:

Dec 11 12:16:28 joooj sshd[12206]: Postponed publickey for svn from 140.77.13.17 port 36508 ssh2 [preauth]
Dec 11 12:16:28 joooj sshd[12206]: Accepted publickey for svn from 140.77.13.17 port 36508 ssh2: RSA SHA256:SesJlF53vo9BluX48f4cBF+NnHhzpgQRqXa629zs6P0
Dec 11 12:16:28 joooj sshd[12206]: pam_unix(sshd:session): session opened for user svn by (uid=0)
Dec 11 12:16:28 joooj svnserve: DIGEST-MD5 common mech free
Dec 11 12:16:28 joooj sshd[12213]: Received disconnect from 140.77.13.17 port 36508:11: disconnected by user
Dec 11 12:16:28 joooj sshd[12213]: Disconnected from 140.77.13.17 port 36508
Dec 11 12:16:28 joooj sshd[12206]: pam_unix(sshd:session): session closed for user svn

After the upgrade, on the server side:

Dec 11 12:18:52 joooj sshd[12242]: error: maximum authentication attempts exceeded for svn from 140.77.13.17 port 38542 ssh2 [preauth]
Dec 11 12:18:52 joooj sshd[12242]: Disconnecting: Too many authentication failures [preauth]

Note: openssh-client is still the same version, so that what seems to
trigger the failure is the subversion upgrade.

I'll try to downgrade...

#884096#10
Date:
2017-12-11 12:14:55 UTC
From:
To:
Control: reassign -1 openssh-client 1:7.6p1-2
Control: severity -1 important
Control: retitle -1 openssh-client: "Too many authentication failures" with the 7th identity

The downgrade had no effect. But I've found the cause of the problem,
which is in OpenSSH. What happened in the following: after the
upgrade, I had to reboot. But in the mean time, I had added a new
SSH private key identity (~.ssh/id_rsa-...), which was taken into
account only after the reboot. A "ssh-add -l" shows the 7 identities,
id_rsa-svn being the last one.

If I try again without the new SSH private key identity, everything
works fine.

#884096#25
Date:
2017-12-11 12:25:54 UTC
From:
To:
As a workaround, I can use a IdentityFile + IdentitiesOnly
combination.

#884096#30
Date:
2017-12-11 13:39:25 UTC
From:
To:
Well, not really, this doesn't work under jessie. :(
#884096#35
Date:
2025-05-12 14:17:49 UTC
From:
To:
#884096#40
Date:
2025-05-12 14:35:50 UTC
From:
To:
The "Too many authentication failures" error came from sshd,
so this should have been in openssh-server, not openssh-client.

I don't know the current status since as a workaround, I currently
use IdentityFile + IdentitiesOnly on my current machines. But not
every SSH client might have that.

According to <https://github.com/fail2ban/fail2ban/issues/1263>,
trying multiple public keys is legitimate.