Show Contents / Index / Search

Authentication Pane

Getting there

Note: The settings on this pane affect all user connections, regardless of the client authentication method used. These settings are not available when you are configuring subconfigurations. You can configure additional authentication settings using the Password, Public Key, and GSSAPI / Kerberos V5 panes. Settings on those panes are supported in subconfigurations

The options are:

Login grace time


Grace time for completion of authentication process (seconds)

Sets the number of seconds allowed for client authentication. If the client fails to authenticate the user within the specified number of seconds, the server disconnects and exits. Use zero (0) to set no limit.



Note: Specifying no limit (0) is not recommended. Unauthenticated connections use up system resources and can lead to a denial-of-service condition.

IP blocking

You can use the following settings to temporarily block connections from any client IP address that has exceeded a specified number of failed attempts. If a particular IP address exceeds the value set for Failed attempts, within the time period specified by Failure time-out, that IP address is blocked for the duration specified by Lockout duration.


  • IP blocking applies only to password authentication (both traditional and Keyboard Interactive). Failed authentication attempts made using public key and GSSAPI authentication do not add to a user's count of failed attempts.
  • You can disable the IP Blocking feature by setting Failed Attempts to 0 (zero).
  • IP blocking information is stored in memory, and is cleared if the server is restarted.
  • You can lock out offending addresses permanently from the Client Host Access Control pane.


Failed attempts

Sets a maximum number of failed login attempts permitted from an IP address for the time period specified by the Failure time-out setting. The default is 20. To disable IP blocking, set this value to zero (0).

Information about the number of failed login attempts is stored in memory and, if the server is restarted, the count resets to zero.


Failure time-out (seconds)

Sets a duration of time, in seconds, during which an IP address is monitored for failed login attempts. The default is 300 seconds (5 minutes).


Lockout duration (seconds)

Sets the number of seconds an IP address remains blocked after the value set for Failed attempts is exceeded. The default is 3600 seconds (one hour).

Related Topics

Client Host Access Control Pane

Client Authentication