On Wed, Nov 22, 2017 at 6:07 PM cen <imbacen@xxxxxxxxx> wrote:
Whose good idea in the history of Linux was to turn ssh agent on by
default when one has more than 5 private keys available? This is what I
just got:
ssh -i mykey.pem user@myhost
Received disconnect from ... port 22:2: Too many authentication failures
Authentication failed.
Then I do export SSH_AUTH_SOCK="" and surprise! I am logged in. And I am
not even sure why this suddenly stopped working, I swear to God
specifying the key used to override the agent.
So apparently the agent even overrides my -i flag which explicitly
specifies which key to use. Instead of taking my key as I specify, ssh
agent will go and try every single key file in my .ssh directory and
fail after 5 times because any sane remote ssh server will block you
after failing so many times.
It does seem like command-line options should be used first.
Anyone doing linux admin or dev work has more than 5 keys in their .ssh
directory, rendering the agent completely USELESS PIECE OF SHIT PROGRAM.
I think you're being unnecessarily unfriendly. There's no need for that.
As for the number of keys, I don't know why anybody would need more than one "identity key" to identify a single individual on a single machine. I do tons of work with SSH, and I've never had more than 2, and the second was only a temporary one I created for a specific test and deleted 5 minutes later. Not that this matters... if you have need for more keys, that's up to you.
As for the number of keys, I don't know why anybody would need more than one "identity key" to identify a single individual on a single machine. I do tons of work with SSH, and I've never had more than 2, and the second was only a temporary one I created for a specific test and deleted 5 minutes later. Not that this matters... if you have need for more keys, that's up to you.
Does everyone disable agent first thing after installing Fedora? How
else do you even manage to survive with this crap running?
Do you mean Fedora? I suspect you mean GNOME. Specifically, gnome-keyring-daemon, which runs by default in GNOME, but I'm sure it can be disabled (never bothered to check; personally, I find it very useful, and if I didn't... I wouldn't store identity keys in it).
Why would agent even try with other keys if I SPECIFY the goddamn key!
It doesn't make any sense!
Why are you putting identities in the agent at all if you're not using it?
Or, why not just just set IdentityAgent to "none" in your ~/.ssh/config file if you don't want to use it? Or, use '-o IdentityAgent=none' on the command-line? Or do what you already did, and override SSH_AUTH_SOCK in your env.
Or, why not just just set IdentityAgent to "none" in your ~/.ssh/config file if you don't want to use it? Or, use '-o IdentityAgent=none' on the command-line? Or do what you already did, and override SSH_AUTH_SOCK in your env.
How do I turn it off in all shells for all users forever? How do I nuke
this from system? .bash_profile export does not seem to cut it.
Set IdentityAgent to "none" in /etc/ssh/ssh_config
(Try 'man ssh_config' for more details)
It won't work in .bash_profile for terminals inside GNOME because GNOME sets it after you log in and your session has already started.
Not to mention the same shit happens when you open gnome files and try
to connect to remote location, except you can't even specify the key in
the UI. It will just try a bunch of keys until you are blocked by remote.
And there are numerous other programs who do this, like Filezilla.
I just don't get it apparently..
I don't see why you're getting so upset. It's not hard to avoid using the agent if you don't want to use it. The easiest thing is to not put identities in it in the first place if you don't want them to be used. The next easiest is to change the ssh config to skip the agent. Neither are hard.
But, I do agree with you on the unintuitive nature of not trying the identity from the command-line first. I'm sure a *friendly* request or patch (emphasis on friendly... vs. how you started this thread) to do that to the openssh upstream would be happy to consider it as an improvement to the user experience. Same with GNOME Files and the upstream GNOME devs.
But, I do agree with you on the unintuitive nature of not trying the identity from the command-line first. I'm sure a *friendly* request or patch (emphasis on friendly... vs. how you started this thread) to do that to the openssh upstream would be happy to consider it as an improvement to the user experience. Same with GNOME Files and the upstream GNOME devs.
_______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
