ip ssh authentication-retries

chinpohpang851 · ‎06-23-2021

ip ssh authentication-retries 3 by its name limits the no. of authentication attempts but what happen if I failed it 3 times? I can't find clear explanation on this. Any idea?

axeleratorcisco · ‎09-18-2023

I have the exact same question.

Is a client blocked permanently after 3 attempts?

If not permanently, then for how long exactly?

How do you restore access for that specific client again?

I know about the existence of the login block-for command, but i am not sure if these two commands are related?

rfpatterson · ‎10-09-2024

I am also trying to google to find the answer to this. Apparently no one knows...

hal-dean · ‎05-01-2025

Yes, ip ssh authentication-retries 3 blocks access to the device for the defined number of seconds as configured with login block-for 900 attempts 3 within 120, where 900 are the number of seconds to block the account (15 minutes), 3 is the number of failed login attempts, and 120 are the number of seconds between first and last unsuccessfull login attempts (2 min).

Yes, the command is used in conjunction with block-for to harden the switch or router. Per the DISA STIG the thesholds are below:
ip ssh authentication-retries 3
login block-for 900 attempts 3 within 120

The client is only blocked for the number of seconds configured, 900 seconds (15 minutes) when configured per the STIG. No user intervention is required to log back into the device once the timeout threshold has expired.