On 23Nov2017 00:06, cen <imbacen@xxxxxxxxx> wrote:
Whose good idea in the history of Linux was to turn ssh agent on by
default when one has more than 5 private keys available? This is what
I just got:
ssh -i mykey.pem user@myhost
Received disconnect from ... port 22:2: Too many authentication failures
Authentication failed.
Then I do export SSH_AUTH_SOCK="" and surprise! I am logged in. And I
am not even sure why this suddenly stopped working, I swear to God
specifying the key used to override the agent.
No, as far as I recall it merely uses that key in addition to the agent. What
gets used first might depend on the key types, too.
Have you experimented with specifying the key file in the ssh_config for
whatever hosts require that key? Don't forget that the .ssh/config file accepts
shell style globs in the Host clause names, quite handy for some things.
Example from mine:
Host *-direct
ControlPath none
Adjust to suit.
I keep a no-ssh-agent wrapper script around to run commands without access to
my agent. Usage:
no-ssh-agent some-ssh-stuff ...
So apparently the agent even overrides my -i flag which explicitly
specifies which key to use. Instead of taking my key as I specify, ssh
agent will go and try every single key file in my .ssh directory and
fail after 5 times because any sane remote ssh server will block you
after failing so many times.
Have you examined the output of "ssh -v" for this connection? Have you
confirmed that your -i key is being offered after all your agent keys?
Anyone doing linux admin or dev work has more than 5 keys in their
.ssh directory, rendering the agent completely USELESS PIECE OF SHIT
PROGRAM.
Actually, no.
I've been doing that kind of work (admin and dev) for decades and I don't think
I've ever had as many a 5 keys in my agents. I've got 4 right now, 3 being my
personal keys (rsa, dsa, ed25519) to accomodate different key type acceptance
and 1 special key for a third party project I'm working on right now. I could
probably get my personal keys down to 2 if I spent a little time auditing my
target hosts.
Does everyone disable agent first thing after installing Fedora? How else do
you even manage to survive with this crap running?
Shrug. I live mostly on a Mac right now, which also provides a shared agent for
your desktop. Quite handy really.
Why would agent even try with other keys if I SPECIFY the goddamn key!
It doesn't make any sense!
I am surprised that it tries the agent keys before the -i key; have you
verified this with an "ssh -v"?
How do I turn it off in all shells for all users forever?
Don't. Turn it off for your own shells perhaps, probably in your .bashrc.
How do I nuke this from system? .bash_profile export does not seem to cut it.
Surprising. I thought the Fedora bashrc sourced the bash_profile.
Cheers,
Cameron Simpson <cs@xxxxxxxxxx> (formerly cs@xxxxxxxxxx)
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
