Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

sshd: Too many authentication failures #134

Open
skyblaster opened this issue Jun 29, 2024 · 6 comments
Open

sshd: Too many authentication failures #134

skyblaster opened this issue Jun 29, 2024 · 6 comments

Comments

@skyblaster
Copy link

skyblaster commented Jun 29, 2024

Using the instructions at https://sonic.software/ to launch the sonic-vs image in QEMU, SSH fails to connect to master and 202405 builds with the following error:

❯ ssh admin@localhost -p 5555
Debian GNU/Linux 12 \n \l

Received disconnect from 127.0.0.1 port 5555:2: Too many authentication failures
Disconnected from 127.0.0.1 port 5555

Comparing the relevant parts of /etc/ssh/sshd_config, it appears that MaxAuthTries is set to too low of a value. If I increase this to 6 (the commented value), or remove the line completely, then it is possible to make a connection.

202311 builds:

# Close inactive client sessions after 15 minutes
ClientAliveInterval 900
ClientAliveCountMax 0
LogLevel VERBOSE

Master and 202405 builds

# Close inactive client sessions after 5 minutes
ClientAliveInterval 300
ClientAliveCountMax 0
MaxAuthTries 3
Banner /etc/issue
LogLevel VERBOSE

I suspect this is a result of the bump from Debian 11 to 12.
It's possible that #99 contains a fix, but I haven't tested the patches to confirm.

@amazor
Copy link

amazor commented Jun 30, 2024

Can you send the verbose output of the ssh connection? please try using ssh -vvv when connecting.

@skyblaster
Copy link
Author

skyblaster commented Jun 30, 2024

Thanks for the hint!
I see that OpenSSH is attempting to use my private keys first and of course fails.
If I add -o PubkeyAuthentication=no to the command, then the issue goes away.

❯ ssh admin@localhost -p 5555 -o PubkeyAuthentication=no
ssh_debug.txt

@amazor
Copy link

amazor commented Jul 2, 2024

Hi,
I am unable to find why the default MaxAuthTries is 3. Changes made to SSH config is related to this HLD: https://github.com/ycoheNvidia/SONiC/blob/ea7eccf80137d945b1fd2d2980bf693526a22246/doc/ssh_config/ssh_config.md

Please take a look to see how to configure SSH server using the sonic management interface and up the number of MaxAuthTries.

@ycoheNvidia Can you explain why the default was changed from 6 to 3?

@skyblaster, I noticed in your ssh_debug.txt log that you have up to 9 keys SSH will attempt before attempting public key authentication, so i am curious why the default (6) still works for you.

@ycoheNvidia
Copy link
Contributor

ycoheNvidia commented Jul 2, 2024

@amazor I don't know why it was changed, the code does not force default values, we based the HLD default values on default openssl values.

@amazor
Copy link

amazor commented Jul 2, 2024

I do not see any SSH_SERVER table in config_db by default, so no settings should be updated through the flow created by @ycoheNvidia. Instead, i see it was updated through this PR directly in the build_debian.sh script.
sonic-net/sonic-buildimage#17798

These settings were changed "according to Sonic OS review result", as seen in the PR.

Whether or not these configuration changes are "correct" or not is subjective, but i do believe these settings should be updated using the existing SSH_SERVER policy table in config_db rather than hardcoding when building debians.

@ycoheNvidia Do you agree? Should i make a PR that updates the config_db.json file to include these "hardened" default values, and removes the hardcoded values from the build_debian.sh script?

@amazor
Copy link

amazor commented Jul 3, 2024

Hi @abdosi,
What are your thoughts on the changes mentioned above?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants