Context Navigation

Support for PreferredAuthentications in OpenSSH configuration

Reported by:	anshnd	Owned by:	dkocher
Priority:	normal	Milestone:	7.7.2
Component:	sftp	Version:	7.6.1
Severity:	major	Keywords:	too many login failures
Cc:	danmichaelo@gmail.com	Architecture:	Intel
Platform:	macOS 10.15

Description (last modified by anshnd)

This is a regression with builds 6.0.4 as well as 5.4.4. I had to revert to 5.2.2 which works as expected.

The problem:

I only have a password to authenticate against this SSH server. Command-line ssh used to give this error because it tries other client certificates before the server gives up. I had since then changed ~/.ssh/config to have these two lines

Host the.host.name.com
    PreferredAuthentications password

command-line ssh works fine. CyberDuck used to work fine but upgrading to latest build broke this.

Change History (20)

comment:1 Changed on Jun 5, 2017 at 5:47:18 PM by anshnd

Component changed from core to sftp
Owner set to dkocher

comment:2 Changed on Jun 5, 2017 at 5:47:38 PM by anshnd

Severity changed from normal to major

comment:3 Changed on Jun 6, 2017 at 8:29:30 AM by dkocher

Summary changed from regression: Too many authentication failures for actualusername when using passwords to Too many authentication failures for actualusername when using passwords

comment:4 Changed on Jun 6, 2017 at 8:43:11 AM by dkocher

Milestone set to 6.1

comment:5 Changed on Jun 26, 2017 at 1:57:19 PM by dkocher

Summary changed from Too many authentication failures for actualusername when using passwords to Too many authentication failures when using password

comment:6 Changed on Jun 26, 2017 at 2:19:59 PM by dkocher

Description modified (diff)

comment:7 Changed on Jun 26, 2017 at 2:37:08 PM by dkocher

Milestone changed from 6.1 to 7.0

Ticket retargeted after milestone closed

comment:8 Changed on Jul 1, 2017 at 5:20:08 PM by anshnd

Description modified (diff)

comment:9 Changed on Oct 14, 2017 at 7:17:02 PM by dkocher

Milestone changed from 7.0 to 6.2.9
Resolution set to worksforme
Status changed from new to closed

Please double check your bookmark settings does not have a private key selected for public key authentication that is tried first and may lead to an authentication failure if the server has limited the number of auth attempts.

comment:10 Changed on Oct 11, 2020 at 9:05:54 PM by danmichaelo

Cc danmichaelo@gmail.com added
Milestone changed from 6.2.9 to 8.0
Platform set to macOS 10.15
Resolution worksforme deleted
Status changed from closed to reopened
Version changed from 6.0.4 to 7.6.1

This issue has plagued me for a long time, to the extent that I use sshfs most of the time instead. If I check my server logs, I can see that Cyberduck tries all my ssh keys:

Oct 11 20:53:30 [REDACTED] sshd[29300]: Connection from [REDACTED] port 56376 on [REDACTED] port 22
Oct 11 20:53:31 [REDACTED] sshd[29300]: Failed publickey for pimcore from [REDACTED] port 56376 ssh2: RSA SHA256:[REDACTED]
Oct 11 20:53:31 [REDACTED] sshd[29300]: Failed publickey for pimcore from [REDACTED] port 56376 ssh2: RSA SHA256:[REDACTED]
Oct 11 20:53:31 [REDACTED] sshd[29300]: Failed publickey for pimcore from [REDACTED] port 56376 ssh2: RSA SHA256:[REDACTED]
Oct 11 20:53:31 [REDACTED] sshd[29300]: Failed publickey for pimcore from [REDACTED] port 56376 ssh2: RSA SHA256:[REDACTED]
Oct 11 20:53:31 [REDACTED] sshd[29300]: Failed publickey for pimcore from [REDACTED] port 56376 ssh2: RSA SHA256:[REDACTED]
Oct 11 20:53:31 [REDACTED] sshd[29300]: Failed publickey for pimcore from [REDACTED] port 56376 ssh2: RSA SHA256:[REDACTED]
Oct 11 20:53:31 [REDACTED] sshd[29300]: Failed publickey for pimcore from [REDACTED] port 56376 ssh2: RSA SHA256:[REDACTED]
Oct 11 20:53:31 [REDACTED] sshd[29300]: Failed publickey for pimcore from [REDACTED] port 56376 ssh2: RSA SHA256:[REDACTED]
Oct 11 20:53:31 [REDACTED] sshd[29300]: error: maximum authentication attempts exceeded for pimcore from [REDACTED] port 56376 ssh2 [preauth]

Despite that I did set

Host [REDACTED]
  PreferredAuthentications password
  PubkeyAuthentication no

Command line sftp and sshfs works fine. Let me know if I can provide more information to help debugging this. I did try enable debug logging, but it didn't seem like it provided much additional information.

feil	22:53:31.318581+0200	Cyberduck	Dying because - Too many authentication failures
standard	22:53:31.320296+0200	Cyberduck	net.schmizz.sshj.transport.TransportException: [PROTOCOL_ERROR] Too many authentication failures
standard	22:53:31.320343+0200	Cyberduck		at net.schmizz.sshj.transport.TransportImpl.gotDisconnect(TransportImpl.java:565)
standard	22:53:31.320379+0200	Cyberduck		at net.schmizz.sshj.transport.TransportImpl.handle(TransportImpl.java:521)
standard	22:53:31.320413+0200	Cyberduck		at net.schmizz.sshj.transport.Decoder.decode(Decoder.java:113)
standard	22:53:31.320450+0200	Cyberduck		at net.schmizz.sshj.transport.Decoder.received(Decoder.java:203)
standard	22:53:31.320480+0200	Cyberduck		at net.schmizz.sshj.transport.Reader.run(Reader.java:60)

I'm using Cyberduck 7.6.1, but this has been an issue for a long, long time.

comment:11 Changed on Oct 12, 2020 at 12:07:58 PM by dkocher

Status changed from reopened to new

comment:12 Changed on Oct 12, 2020 at 3:17:56 PM by dkocher

Refer to OpenSSH Configuration Interoperability. We do not currently support the PreferredAuthentications directive.

comment:13 Changed on Oct 16, 2020 at 10:20:19 AM by dkocher

Summary changed from Too many authentication failures when using password to Support for PreferredAuthentications in OpenSSH configuration
Type changed from defect to enhancement