We migrated a server a few days ago, and the private keys we use to connect to customers got moved as well. However, some of our automated sftp batches were failing with authentication errors. Looking into the verbose output, I noticed that even though ~/.ssh/config is explicitly configured to use a specific identity file, sftp was presenting every key known to the ssh-agent, in order. This particular customer had their daemon configured to only allow 3 attempts. When we connected from the old server, sftp presents the configured identity file first. I also noticed that at the beginning of the output, it complained about not being able to find the public key file. We extracted the public key from the private key file (giving ssh-keygen the passphrase), and the issue resolved. To wit, sftp presented the correct identity to the server first. My question is, why does this happen? Why is the client's public key needed to connect to a server? Why doesn't the client present the requested identity first if the public key is not present? For other servers that we connect to, there is no configured maximum login attempts; verbose output shows sftp present each identity until it finds the correct one, which is accepted and authentication is successful. Obviously, the public key isn't cryptographically NECESSARY to authenticate. Additionally, why is the public key portion of the private key file encrypted by the passphrase? Shouldn't it be in plaintext so it's easy to extract? Regards, Karl Peterson _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev