sshd: Too many authentication failures

[skyblaster]

Using the instructions at https://sonic.software/ to launch the sonic-vs image in QEMU, SSH fails to connect to master and 202405 builds with the following error:

❯ ssh admin@localhost -p 5555
Debian GNU/Linux 12 \n \l

Received disconnect from 127.0.0.1 port 5555:2: Too many authentication failures
Disconnected from 127.0.0.1 port 5555

Comparing the relevant parts of /etc/ssh/sshd_config, it appears that MaxAuthTries is set to too low of a value. If I increase this to 6 (the commented value), or remove the line completely, then it is possible to make a connection.

202311 builds:

# Close inactive client sessions after 15 minutes
ClientAliveInterval 900
ClientAliveCountMax 0
LogLevel VERBOSE

Master and 202405 builds

# Close inactive client sessions after 5 minutes
ClientAliveInterval 300
ClientAliveCountMax 0
MaxAuthTries 3
Banner /etc/issue
LogLevel VERBOSE

I suspect this is a result of the bump from Debian 11 to 12.
It's possible that #99 contains a fix, but I haven't tested the patches to confirm.

[amazor]

Can you send the verbose output of the ssh connection? please try using ssh -vvv when connecting.

[skyblaster]

Thanks for the hint!
I see that OpenSSH is attempting to use my private keys first and of course fails.
If I add -o PubkeyAuthentication=no to the command, then the issue goes away.

❯ ssh admin@localhost -p 5555 -o PubkeyAuthentication=no
ssh_debug.txt

[amazor]

Hi,
I am unable to find why the default MaxAuthTries is 3. Changes made to SSH config is related to this HLD: https://github.com/ycoheNvidia/SONiC/blob/ea7eccf80137d945b1fd2d2980bf693526a22246/doc/ssh_config/ssh_config.md

Please take a look to see how to configure SSH server using the sonic management interface and up the number of MaxAuthTries.

@ycoheNvidia Can you explain why the default was changed from 6 to 3?

@skyblaster, I noticed in your ssh_debug.txt log that you have up to 9 keys SSH will attempt before attempting public key authentication, so i am curious why the default (6) still works for you.

[ycoheNvidia]

@amazor I don't know why it was changed, the code does not force default values, we based the HLD default values on default openssl values.

[amazor]

I do not see any SSH_SERVER table in config_db by default, so no settings should be updated through the flow created by @ycoheNvidia. Instead, i see it was updated through this PR directly in the build_debian.sh script.
sonic-net/sonic-buildimage#17798

These settings were changed "according to Sonic OS review result", as seen in the PR.

Whether or not these configuration changes are "correct" or not is subjective, but i do believe these settings should be updated using the existing SSH_SERVER policy table in config_db rather than hardcoding when building debians.

@ycoheNvidia Do you agree? Should i make a PR that updates the config_db.json file to include these "hardened" default values, and removes the hardcoded values from the build_debian.sh script?

[amazor]

Hi @abdosi,
What are your thoughts on the changes mentioned above?