Opened 14 years ago
Closed 9 years ago
#5480 closed Bug report (fixed)
Password authentication not used if the public key authentication fails because of MaxAuthTries and number of keys in local agent
| Reported by: | mnaumann | Owned by: | |
|---|---|---|---|
| Priority: | high | Component: | FileZilla Client |
| Keywords: | sftp, password authentication, public key authentication, too-many-authentication-failures | Cc: | |
| Component version: | Operating system type: | ||
| Operating system version: | both: Windows and Linux |
Description (last modified by )
I have several dozen SSH key pairs on this system. When trying to connect to an OpenSSH 2 server using the SFTP protocol, and try to authenticate with a password (as provided in the site manager), authentication fails and I end up with this message:
Too many authentication failures for <username>
What happens is that FileZilla uses pageant, detects thse key pairs I have, connects to the server and doesn't send my password, but tries as many of those key pairs as it can, which I have never asked for (I have not imported any of my SSH keys to FileZilla). After a few failed authentication requests (due to non-matching keys), the server drops the connection.
My log (edits are marked <like so>):
02:58:17 Status: Connecting to web.sourceforge.net... 02:58:17 Trace: Going to execute /home/<username>/FileZilla3/bin/fzsftp 02:58:17 Response: fzSftp started 02:58:17 Trace: CSftpControlSocket::ConnectParseResponse(fzSftp started) 02:58:17 Trace: CSftpControlSocket::SendNextCommand() 02:58:17 Trace: CSftpControlSocket::ConnectSend() 02:58:17 Command: open "<username>@<server>" 22 02:58:17 Trace: Server version: SSH-1.99-OpenSSH_5.1 02:58:17 Trace: Using SSH protocol version 2 02:58:17 Trace: We claim version: SSH-2.0-PuTTY_Local:_Jun_13_2010_23:34:32 02:58:17 Trace: Doing Diffie-Hellman group exchange 02:58:18 Trace: Doing Diffie-Hellman key exchange with hash SHA-256 02:58:19 Trace: Host key fingerprint is: 02:58:19 Trace: ssh-rsa 2048 <SSH fingerprint> 02:58:19 Trace: Initialised AES-256 SDCTR client->server encryption 02:58:19 Trace: Initialised HMAC-SHA1 client->server MAC algorithm 02:58:19 Trace: Initialised AES-256 SDCTR server->client encryption 02:58:19 Trace: Initialised HMAC-SHA1 server->client MAC algorithm 02:58:20 Trace: Pageant is running. Requesting keys. 02:58:20 Trace: Pageant has <many> SSH-2 keys 02:58:20 Trace: Trying Pageant key #0 02:58:21 Trace: Server refused public key 02:58:21 Trace: Trying Pageant key #1 02:58:22 Trace: Server refused public key 02:58:22 Trace: Trying Pageant key #2 02:58:24 Trace: Server refused public key 02:58:24 Trace: Trying Pageant key #3 02:58:25 Trace: Server refused public key 02:58:25 Trace: Trying Pageant key #4 02:58:26 Trace: Server refused public key 02:58:26 Trace: Trying Pageant key #5 02:58:27 Trace: Received disconnect message (protocol error) 02:58:27 Trace: Disconnection message text: Too many authentication failures for <username> 02:58:27 Trace: Server sent disconnect message 02:58:27 Trace: type 2 (protocol error): 02:58:27 Trace: "Too many authentication failures for <username>" 02:58:27 Error: Server sent disconnect message 02:58:27 Error: type 2 (protocol error): 02:58:27 Error: "Too many authentication failures for <username>" 02:58:27 Trace: CSftpControlSocket::ResetOperation(66) 02:58:27 Trace: CControlSocket::ResetOperation(66) 02:58:27 Error: Could not connect to server 02:58:27 Status: Waiting to retry... 02:58:32 Status: Connecting to <server>... 02:58:32 Trace: Going to execute /home/user1/FileZilla3/bin/fzsftp 02:58:32 Response: fzSftp started 02:58:32 Trace: CSftpControlSocket::ConnectParseResponse(fzSftp started) 02:58:32 Trace: CSftpControlSocket::SendNextCommand() 02:58:32 Trace: CSftpControlSocket::ConnectSend() 02:58:32 Command: open "<username>@<server>" 22 02:58:33 Trace: Server version: SSH-1.99-OpenSSH_5.1 02:58:33 Trace: Using SSH protocol version 2 02:58:33 Trace: We claim version: SSH-2.0-PuTTY_Local:_Jun_13_2010_23:34:32 02:58:33 Trace: Doing Diffie-Hellman group exchange 02:58:34 Trace: Doing Diffie-Hellman key exchange with hash SHA-256 02:58:35 Trace: Host key fingerprint is: 02:58:35 Trace: ssh-rsa 2048 <ssh_fingerprint> 02:58:35 Trace: Initialised AES-256 SDCTR client->server encryption 02:58:35 Trace: Initialised HMAC-SHA1 client->server MAC algorithm 02:58:35 Trace: Initialised AES-256 SDCTR server->client encryption 02:58:35 Trace: Initialised HMAC-SHA1 server->client MAC algorithm 02:58:35 Trace: Pageant is running. Requesting keys. 02:58:35 Trace: Pageant has <many> SSH-2 keys 02:58:36 Trace: Trying Pageant key #0 02:58:37 Trace: Server refused public key 02:58:37 Trace: Trying Pageant key #1 02:58:38 Trace: Server refused public key 02:58:38 Trace: Trying Pageant key #2 02:58:39 Trace: Server refused public key 02:58:39 Trace: Trying Pageant key #3 02:58:41 Trace: Server refused public key 02:58:41 Trace: Trying Pageant key #4 02:58:42 Trace: Server refused public key 02:58:42 Trace: Trying Pageant key #5 02:58:43 Trace: Received disconnect message (protocol error) 02:58:43 Trace: Disconnection message text: Too many authentication failures for <username> 02:58:43 Trace: Server sent disconnect message 02:58:43 Trace: type 2 (protocol error): 02:58:43 Trace: "Too many authentication failures for <username>" 02:58:43 Error: Server sent disconnect message 02:58:43 Error: type 2 (protocol error): 02:58:43 Error: "Too many authentication failures for <username>" 02:58:43 Trace: CSftpControlSocket::ResetOperation(66) 02:58:43 Trace: CControlSocket::ResetOperation(66) 02:58:43 Error: Could not connect to server
Starting filezilla as
SSH_AUTH_SOCK= ./filezilla
works around this issue.
Change History (10)
comment:1 by , 14 years ago
comment:2 by , 14 years ago
| Resolution: | → wontfix |
|---|---|
| Status: | new → closed |
This is by design, FileZilla uses the system's SSH agent.
Just reconfigure the server to allow for more keys.
comment:3 by , 14 years ago
| Resolution: | wontfix |
|---|---|
| Status: | closed → reopened |
Hmm, I'm convinced that the issue I tried to describe was misunderstood, so I'm reopening this bug. The issue I'm reporting is that I cannot authenticate by password when there are any SSH keys on the system the FileZilla client is running on. And even though I have provided a password in the server profile, no attempts to authenticate by tunnelled clear text passwords are made if the presence of SSH key pairs is detected by the FileZilla client/pageant.
comment:4 by , 11 years ago
Another report at #7739 is about the very same problem. Password-based authentication is not even tried if too many key pairs are configured.
comment:5 by , 11 years ago
| Keywords: | sftp too many failures added; SFTP pageant login failure denied removed |
|---|
comment:7 by , 10 years ago
| Keywords: | password public key added; too many failures removed |
|---|---|
| Operating system type: | Linux → Windows |
| Operating system version: | Ubuntu 10.04 x86_64 (2.6.32-24-generic) → Windows 7 x64 |
| Summary: | SFTP fails with: Too many authentication failures for <username> → Password authentication not used if the public key authentication fails because of MaxAuthTries and number of keys in local agent |
I'm having *exactly* the same problem.
Client: 3.6.0.2 (Windows 7 64 bit)
Server: OpenSSH_6.0p1 (Ubuntu)
Server message: sshd[9557]: Disconnecting: Too many authentication failures for user [preauth]
I am using a ssh key agent with plenty of keys used (eight at the moment) and I have to use a *password* on this server. Unfortunately I can't.
I am asked for a password but it's never used. At the same time I am able to login using WinSCP.
So what we need is to possibility either for using the certain key (provided withing Filezilla) AND/OR to be able to NOT use ssh password. Honestly... it should be user's decision whether to use ssh keys or not.
Thanks in advance.
comment:8 by , 10 years ago
| Operating system type: | Windows |
|---|---|
| Operating system version: | Windows 7 x64 → both: Windows and Linux |
comment:9 by , 9 years ago
| Description: | modified (diff) |
|---|---|
| Keywords: | too-many-authentication-failures added |
I was testing with FileZilla 3.3 and 3.1 - forgot to mention this. As such, I assume at least anything < 3.4 is affected.