Opened 14 years ago

Closed 9 years ago

#5480 closed Bug report (fixed)

Password authentication not used if the public key authentication fails because of MaxAuthTries and number of keys in local agent

Reported by: mnaumann Owned by:
Priority: high Component: FileZilla Client
Keywords: sftp, password authentication, public key authentication, too-many-authentication-failures Cc:
Component version: Operating system type:
Operating system version: both: Windows and Linux

Description (last modified by Alexander Schuch)

I have several dozen SSH key pairs on this system. When trying to connect to an OpenSSH 2 server using the SFTP protocol, and try to authenticate with a password (as provided in the site manager), authentication fails and I end up with this message:

Too many authentication failures for <username>

What happens is that FileZilla uses pageant, detects thse key pairs I have, connects to the server and doesn't send my password, but tries as many of those key pairs as it can, which I have never asked for (I have not imported any of my SSH keys to FileZilla). After a few failed authentication requests (due to non-matching keys), the server drops the connection.
My log (edits are marked <like so>):

02:58:17	Status:	Connecting to web.sourceforge.net...
02:58:17	Trace:	Going to execute /home/<username>/FileZilla3/bin/fzsftp
02:58:17	Response:	fzSftp started
02:58:17	Trace:	CSftpControlSocket::ConnectParseResponse(fzSftp started)
02:58:17	Trace:	CSftpControlSocket::SendNextCommand()
02:58:17	Trace:	CSftpControlSocket::ConnectSend()
02:58:17	Command:	open "<username>@<server>" 22
02:58:17	Trace:	Server version: SSH-1.99-OpenSSH_5.1
02:58:17	Trace:	Using SSH protocol version 2
02:58:17	Trace:	We claim version: SSH-2.0-PuTTY_Local:_Jun_13_2010_23:34:32
02:58:17	Trace:	Doing Diffie-Hellman group exchange
02:58:18	Trace:	Doing Diffie-Hellman key exchange with hash SHA-256
02:58:19	Trace:	Host key fingerprint is:
02:58:19	Trace:	ssh-rsa 2048 <SSH fingerprint>
02:58:19	Trace:	Initialised AES-256 SDCTR client->server encryption
02:58:19	Trace:	Initialised HMAC-SHA1 client->server MAC algorithm
02:58:19	Trace:	Initialised AES-256 SDCTR server->client encryption
02:58:19	Trace:	Initialised HMAC-SHA1 server->client MAC algorithm
02:58:20	Trace:	Pageant is running. Requesting keys.
02:58:20	Trace:	Pageant has <many> SSH-2 keys
02:58:20	Trace:	Trying Pageant key #0
02:58:21	Trace:	Server refused public key
02:58:21	Trace:	Trying Pageant key #1
02:58:22	Trace:	Server refused public key
02:58:22	Trace:	Trying Pageant key #2
02:58:24	Trace:	Server refused public key
02:58:24	Trace:	Trying Pageant key #3
02:58:25	Trace:	Server refused public key
02:58:25	Trace:	Trying Pageant key #4
02:58:26	Trace:	Server refused public key
02:58:26	Trace:	Trying Pageant key #5
02:58:27	Trace:	Received disconnect message (protocol error)
02:58:27	Trace:	Disconnection message text: Too many authentication failures for <username>
02:58:27	Trace:	Server sent disconnect message
02:58:27	Trace:	type 2 (protocol error):
02:58:27	Trace:	"Too many authentication failures for <username>"
02:58:27	Error:	Server sent disconnect message
02:58:27	Error:	type 2 (protocol error):
02:58:27	Error:	"Too many authentication failures for <username>"
02:58:27	Trace:	CSftpControlSocket::ResetOperation(66)
02:58:27	Trace:	CControlSocket::ResetOperation(66)
02:58:27	Error:	Could not connect to server
02:58:27	Status:	Waiting to retry...
02:58:32	Status:	Connecting to <server>...
02:58:32	Trace:	Going to execute /home/user1/FileZilla3/bin/fzsftp
02:58:32	Response:	fzSftp started
02:58:32	Trace:	CSftpControlSocket::ConnectParseResponse(fzSftp started)
02:58:32	Trace:	CSftpControlSocket::SendNextCommand()
02:58:32	Trace:	CSftpControlSocket::ConnectSend()
02:58:32	Command:	open "<username>@<server>" 22
02:58:33	Trace:	Server version: SSH-1.99-OpenSSH_5.1
02:58:33	Trace:	Using SSH protocol version 2
02:58:33	Trace:	We claim version: SSH-2.0-PuTTY_Local:_Jun_13_2010_23:34:32
02:58:33	Trace:	Doing Diffie-Hellman group exchange
02:58:34	Trace:	Doing Diffie-Hellman key exchange with hash SHA-256
02:58:35	Trace:	Host key fingerprint is:
02:58:35	Trace:	ssh-rsa 2048 <ssh_fingerprint>
02:58:35	Trace:	Initialised AES-256 SDCTR client->server encryption
02:58:35	Trace:	Initialised HMAC-SHA1 client->server MAC algorithm
02:58:35	Trace:	Initialised AES-256 SDCTR server->client encryption
02:58:35	Trace:	Initialised HMAC-SHA1 server->client MAC algorithm
02:58:35	Trace:	Pageant is running. Requesting keys.
02:58:35	Trace:	Pageant has <many> SSH-2 keys
02:58:36	Trace:	Trying Pageant key #0
02:58:37	Trace:	Server refused public key
02:58:37	Trace:	Trying Pageant key #1
02:58:38	Trace:	Server refused public key
02:58:38	Trace:	Trying Pageant key #2
02:58:39	Trace:	Server refused public key
02:58:39	Trace:	Trying Pageant key #3
02:58:41	Trace:	Server refused public key
02:58:41	Trace:	Trying Pageant key #4
02:58:42	Trace:	Server refused public key
02:58:42	Trace:	Trying Pageant key #5
02:58:43	Trace:	Received disconnect message (protocol error)
02:58:43	Trace:	Disconnection message text: Too many authentication failures for <username>
02:58:43	Trace:	Server sent disconnect message
02:58:43	Trace:	type 2 (protocol error):
02:58:43	Trace:	"Too many authentication failures for <username>"
02:58:43	Error:	Server sent disconnect message
02:58:43	Error:	type 2 (protocol error):
02:58:43	Error:	"Too many authentication failures for <username>"
02:58:43	Trace:	CSftpControlSocket::ResetOperation(66)
02:58:43	Trace:	CControlSocket::ResetOperation(66)
02:58:43	Error:	Could not connect to server

Starting filezilla as

SSH_AUTH_SOCK= ./filezilla

works around this issue.

Change History (10)

comment:1 by mnaumann, 14 years ago

I was testing with FileZilla 3.3 and 3.1 - forgot to mention this. As such, I assume at least anything < 3.4 is affected.

comment:2 by Tim Kosse, 14 years ago

Resolution: wontfix
Status: newclosed

This is by design, FileZilla uses the system's SSH agent.

Just reconfigure the server to allow for more keys.

comment:3 by mnaumann, 14 years ago

Resolution: wontfix
Status: closedreopened

Hmm, I'm convinced that the issue I tried to describe was misunderstood, so I'm reopening this bug. The issue I'm reporting is that I cannot authenticate by password when there are any SSH keys on the system the FileZilla client is running on. And even though I have provided a password in the server profile, no attempts to authenticate by tunnelled clear text passwords are made if the presence of SSH key pairs is detected by the FileZilla client/pageant.

comment:4 by Alexander Schuch, 12 years ago

Another report at #7739 is about the very same problem. Password-based authentication is not even tried if too many key pairs are configured.

comment:5 by Alexander Schuch, 12 years ago

Keywords: sftp too many failures added; SFTP pageant login failure denied removed

comment:6 by Alexander Schuch, 10 years ago

The issue #8232 is related.

comment:7 by random2736, 10 years ago

Keywords: password public key added; too many failures removed
Operating system type: LinuxWindows
Operating system version: Ubuntu 10.04 x86_64 (2.6.32-24-generic)Windows 7 x64
Summary: SFTP fails with: Too many authentication failures for <username>Password authentication not used if the public key authentication fails because of MaxAuthTries and number of keys in local agent

I'm having *exactly* the same problem.
Client: 3.6.0.2 (Windows 7 64 bit)
Server: OpenSSH_6.0p1 (Ubuntu)

Server message: sshd[9557]: Disconnecting: Too many authentication failures for user [preauth]

I am using a ssh key agent with plenty of keys used (eight at the moment) and I have to use a *password* on this server. Unfortunately I can't.
I am asked for a password but it's never used. At the same time I am able to login using WinSCP.

So what we need is to possibility either for using the certain key (provided withing Filezilla) AND/OR to be able to NOT use ssh password. Honestly... it should be user's decision whether to use ssh keys or not.

Thanks in advance.

comment:8 by random2736, 10 years ago

Operating system type: Windows
Operating system version: Windows 7 x64both: Windows and Linux

comment:9 by Alexander Schuch, 9 years ago

Description: modified (diff)
Keywords: too-many-authentication-failures added

comment:10 by Tim Kosse, 9 years ago

Resolution: fixed
Status: reopenedclosed

Will be solved via #8232

Note: See TracTickets for help on using tickets.