- Package:
- openssh-client
- Source:
- openssh
- Description:
- secure shell (SSH) client, for secure access to remote machines
- Submitter:
- Vincent Lefevre
- Date:
- 2025-05-12 14:39:03 UTC
- Severity:
- important
Just after the upgrade to 1.9.7-3, "svn+ssh:" is now unusable, at least with some servers. This is a major regression. Before the upgrade, on the server side: Dec 11 12:16:28 joooj sshd[12206]: Postponed publickey for svn from 140.77.13.17 port 36508 ssh2 [preauth] Dec 11 12:16:28 joooj sshd[12206]: Accepted publickey for svn from 140.77.13.17 port 36508 ssh2: RSA SHA256:SesJlF53vo9BluX48f4cBF+NnHhzpgQRqXa629zs6P0 Dec 11 12:16:28 joooj sshd[12206]: pam_unix(sshd:session): session opened for user svn by (uid=0) Dec 11 12:16:28 joooj svnserve: DIGEST-MD5 common mech free Dec 11 12:16:28 joooj sshd[12213]: Received disconnect from 140.77.13.17 port 36508:11: disconnected by user Dec 11 12:16:28 joooj sshd[12213]: Disconnected from 140.77.13.17 port 36508 Dec 11 12:16:28 joooj sshd[12206]: pam_unix(sshd:session): session closed for user svn After the upgrade, on the server side: Dec 11 12:18:52 joooj sshd[12242]: error: maximum authentication attempts exceeded for svn from 140.77.13.17 port 38542 ssh2 [preauth] Dec 11 12:18:52 joooj sshd[12242]: Disconnecting: Too many authentication failures [preauth] Note: openssh-client is still the same version, so that what seems to trigger the failure is the subversion upgrade. I'll try to downgrade...
Control: reassign -1 openssh-client 1:7.6p1-2 Control: severity -1 important Control: retitle -1 openssh-client: "Too many authentication failures" with the 7th identity The downgrade had no effect. But I've found the cause of the problem, which is in OpenSSH. What happened in the following: after the upgrade, I had to reboot. But in the mean time, I had added a new SSH private key identity (~.ssh/id_rsa-...), which was taken into account only after the reboot. A "ssh-add -l" shows the 7 identities, id_rsa-svn being the last one. If I try again without the new SSH private key identity, everything works fine.
As a workaround, I can use a IdentityFile + IdentitiesOnly combination.
Well, not really, this doesn't work under jessie. :(
See also the discussion at https://github.com/fail2ban/fail2ban/issues/1263
The "Too many authentication failures" error came from sshd, so this should have been in openssh-server, not openssh-client. I don't know the current status since as a workaround, I currently use IdentityFile + IdentitiesOnly on my current machines. But not every SSH client might have that. According to <https://github.com/fail2ban/fail2ban/issues/1263>, trying multiple public keys is legitimate.