I did use -v and it does use other keys first. It probably uses my key
down the road but you can never see that because remote blocks you
before it happens.
On 11/23/2017 01:53 AM, Cameron Simpson wrote:
On 23Nov2017 00:06, cen <imbacen@xxxxxxxxx> wrote:
Whose good idea in the history of Linux was to turn ssh agent on by
default when one has more than 5 private keys available? This is what
I just got:
ssh -i mykey.pem user@myhost
Received disconnect from ... port 22:2: Too many authentication failures
Authentication failed.
Then I do export SSH_AUTH_SOCK="" and surprise! I am logged in. And I
am not even sure why this suddenly stopped working, I swear to God
specifying the key used to override the agent.
No, as far as I recall it merely uses that key in addition to the
agent. What gets used first might depend on the key types, too.
Have you experimented with specifying the key file in the ssh_config
for whatever hosts require that key? Don't forget that the .ssh/config
file accepts shell style globs in the Host clause names, quite handy
for some things. Example from mine:
Host *-direct
ControlPath none
Adjust to suit.
I keep a no-ssh-agent wrapper script around to run commands without
access to my agent. Usage:
no-ssh-agent some-ssh-stuff ...
So apparently the agent even overrides my -i flag which explicitly
specifies which key to use. Instead of taking my key as I specify,
ssh agent will go and try every single key file in my .ssh directory
and fail after 5 times because any sane remote ssh server will block
you after failing so many times.
Have you examined the output of "ssh -v" for this connection? Have you
confirmed that your -i key is being offered after all your agent keys?
Anyone doing linux admin or dev work has more than 5 keys in their
.ssh directory, rendering the agent completely USELESS PIECE OF SHIT
PROGRAM.
Actually, no.
I've been doing that kind of work (admin and dev) for decades and I
don't think I've ever had as many a 5 keys in my agents. I've got 4
right now, 3 being my personal keys (rsa, dsa, ed25519) to accomodate
different key type acceptance and 1 special key for a third party
project I'm working on right now. I could probably get my personal
keys down to 2 if I spent a little time auditing my target hosts.
Does everyone disable agent first thing after installing Fedora? How
else do you even manage to survive with this crap running?
Shrug. I live mostly on a Mac right now, which also provides a shared
agent for your desktop. Quite handy really.
Why would agent even try with other keys if I SPECIFY the goddamn
key! It doesn't make any sense!
I am surprised that it tries the agent keys before the -i key; have
you verified this with an "ssh -v"?
How do I turn it off in all shells for all users forever?
Don't. Turn it off for your own shells perhaps, probably in your .bashrc.
How do I nuke this from system? .bash_profile export does not seem to
cut it.
Surprising. I thought the Fedora bashrc sourced the bash_profile.
Cheers,
Cameron Simpson <cs@xxxxxxxxxx> (formerly cs@xxxxxxxxxx)
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
