[PLUG] ssh: Too many authentication failures

Sandy Herring sandy at herring.org
Mon Aug 27 21:24:48 UTC 2007 

Circa 13:53:34 on Mon, 27 Aug 2007, Robert Citek wrote: 
[...]
> You are not able to connect to the box that your are on, i.e. localhost?

sorry, I should have been more specific about how I'm tunneling in...

On box A: ssh -L1047:herring.org:22 foog at boxB
On box A: ssh -l foo -p 1047 localhost

It's not a case of connecting to localhost from herring.org - it's a
case of not being able to tunnel there from my linux box at work (boxA).
Note that boxA sits inside of the firewall and my employer, in their
infinite wisdown, has shut down incoming and outgoing ssh traffic at the
edge. But boxB is in the DMZ and thus works as an intermediary.

> What do the log files say?
> /var/log/secure

Typical stuff. Failed attempts via the tunnel from BoxA show...

Aug 27 13:53:40 pickled sshd[29209]: Disconnecting: Too many authentication failures for foo

Successful attempts via ssh to BoxB from BoxA, then ssh to
foo at herring.org (which is insecure) show...

Aug 27 14:06:36 pickled sshd[29381]: Postponed publickey for foo from ::ffff:<ip address> port 37341 ssh2
Aug 27 14:06:46 pickled sshd[29380]: Accepted publickey for foo from ::ffff:<ip address> port 37341 ssh2

> /var/log/messages

Only "session (opened|closed) for user foo" stuff.

> /var/log/auth

Doesn't exist.
 
> You may want to try to connect and then type 'ls -latr /var/log/' to see
> what got updated last.  If you want to recurse:
> 
> $ sudo find /var/log/ | sudo xargs ls -ladtr
> 
> Then look at the later entries those log files.

I already checked that, and nothing revealing there. I can do a two-hop
ssh to user "foo", but can no longer tunnel directly (which is far more
secure). 

I've also tried removing the corresponding entry from
/home/foo/.ssh/known_hosts - but that accomplished nothing.

There has to be a way to reset the failure count.

Sandy
-- 
Sandy Herring, RHCE                        o              sandy at herring.org
Peck of Pickled Pisces               __  o               http://herring.org/
*nix || Web authoring questions?  |\/ o\  o  http://herring.org/finger.html
->http://herring.org/techie.html  |/\__/     http://herring.org/pub-key.asc

More information about the PLUG mailing list