sshd 9.8 PerSourcePenalties

New feature dropped in sshd which applies penalties for certain behaviors against the ssh server. The documentation is… questionable, as it doesn’t really explicit about it, and the manual page is a bit unclear.

To turn off the feature entirely, you need to pass in the value no. This is not documented in the manual page at the moment, but is the usual way of disabling a feature so … I should have figured this out already.

It mentions a keyword off, for each of the options, which does not work (it only accepts numbers). To accomplish off, for any individual option you set it to 0s, or at least this is what I surmise.

How it works:

Every time you hit one of the events, your IP is penalized by the quantity of seconds presented for the option in question, so for example there is an option authfail. Every time you fail to authenticate, your IP is applied with that number of seconds as a penalty.

When that amount of penalty time exceeds min, then you have the penalty applied to your IP address.

Penalties applied to IP addresses run-down every second, so if you had a penalty of 5 seconds applied at second 0, then at second 1, your penalty would be 4 seconds, at second 2, your penalty would be 3 seconds, and so on.

The default value for authfail is 5 seconds, and the default value for min is 15 seconds. This means that if you had 3 authentication failures within the same second, you will be unable to connect to the remote system for 15 seconds.

Some of the penalties are very high – e.g. crash, which has a 90s penalty – this means it applies immediately under the default configuration of 15 seconds, and will prevent you connecting for a minimum of 90 seconds after that, which is a good thing in general for well-behaved systems (That don’t crash).

If you’re performing a keyboard interactive login on a system, and are failing to log on, there is a typical 3 second wait before you can type the password in a second time, which would make it incredibly difficult to actually trigger this failure, as it would require far more login attempts on the prompt to fail the login

I am however using these systems with some automation for integration testing, and it’s proving to be a real pain, as I’m encountering the effects of legacy workaround behavior on top of this new functionality. So for now, it’s off, which is a shame!