Whose good
idea in the history of Linux was to turn ssh agent on by
default when one has more than 5 private keys available?
This is what I
just got:
ssh -i mykey.pem user@myhost
Received disconnect from ... port 22:2: Too many
authentication failures
Authentication failed.
Then I do export SSH_AUTH_SOCK="" and surprise! I am logged
in. And I am
not even sure why this suddenly stopped working, I swear to
God
specifying the key used to override the agent.
So apparently the agent even overrides my -i flag which
explicitly
specifies which key to use. Instead of taking my key as I
specify, ssh
agent will go and try every single key file in my .ssh
directory and
fail after 5 times because any sane remote ssh server will
block you
after failing so many times.
It does seem like command-line options should be used
first.
Anyone doing linux admin or dev work has more than 5 keys in
their .ssh
directory, rendering the agent completely USELESS PIECE OF
SHIT PROGRAM.
I think you're being unnecessarily unfriendly. There's no
need for that.
As for the number of keys, I don't know why anybody would
need more than one "identity key" to identify a single
individual on a single machine. I do tons of work with SSH,
and I've never had more than 2, and the second was only a
temporary one I created for a specific test and deleted 5
minutes later. Not that this matters... if you have need for
more keys, that's up to you.
Does everyone disable agent first thing after installing
Fedora? How
else do you even manage to survive with this crap running?
Do you mean Fedora? I suspect you mean GNOME.
Specifically, gnome-keyring-daemon, which runs by default in
GNOME, but I'm sure it can be disabled (never bothered to
check; personally, I find it very useful, and if I didn't...
I wouldn't store identity keys in it).
Why would agent even try with other keys if I SPECIFY the
goddamn key!
It doesn't make any sense!
Why are you putting identities in the agent at all if
you're not using it?
Or, why not just just set IdentityAgent to "none" in your
~/.ssh/config file if you don't want to use it? Or, use '-o
IdentityAgent=none' on the command-line? Or do what you
already did, and override SSH_AUTH_SOCK in your env.
How do I turn it off in all shells for all users forever?
How do I nuke
this from system? .bash_profile export does not seem to cut
it.
Set IdentityAgent to "none" in /etc/ssh/ssh_config
(Try 'man ssh_config' for more details)
It won't work in .bash_profile for terminals inside GNOME
because GNOME sets it after you log in and your session has
already started.
Not to mention the same shit happens when you open gnome
files and try
to connect to remote location, except you can't even specify
the key in
the UI. It will just try a bunch of keys until you are
blocked by remote.
And there are numerous other programs who do this, like
Filezilla.
I just don't get it apparently..
I don't see why you're getting so upset. It's not hard to
avoid using the agent if you don't want to use it. The
easiest thing is to not put identities in it in the first
place if you don't want them to be used. The next easiest is
to change the ssh config to skip the agent. Neither are
hard.
But, I do agree with you on the unintuitive nature of not
trying the identity from the command-line first. I'm sure a
*friendly* request or patch (emphasis on friendly... vs. how
you started this thread) to do that to the openssh upstream
would be happy to consider it as an improvement to the user
experience. Same with GNOME Files and the upstream GNOME
devs.
