On 17/03/2019 12:45, Brian Exelbierd wrote: > There is no longer an identityfile to use in the .ssh/config file > which means all auth keys are tried with all hosts. I have multiple > auth keys and the hosts give up after 2 or 3 failures. How can I get > the right key served to the right host since SSH doesn't know how to > ask for it anymore ...
Ooohhh. I would have hoped the OpenSSH server's MaxAuthTries would only count failed signatures, not failed key matches. But I can reproduce this problem. Picking an auth key is a two-step process. First the client offers different public keys until the server says it accepts one. Only then is authentication tried with the key that was just negotiated. But indeed, MaxAuthTries counts every *offer* as an auth try and cuts out after 6 in the default configuration. --8<---------------cut here---------------start------------->8--- $ ssh -v [...] [...] debug1: Next authentication method: publickey debug1: Offering ED25519 public key: /home/peter/.ssh/id_ed25519 debug1: Authentications that can continue: publickey debug1: Offering RSA public key: /home/peter/.ssh/id_rsa debug1: Authentications that can continue: publickey debug1: Offering ED25519 public key: Just a comment debug1: Authentications that can continue: publickey debug1: Offering ED25519 public key: Testkey 1 debug1: Authentications that can continue: publickey debug1: Offering ED25519 public key: Testkey 2 debug1: Authentications that can continue: publickey debug1: Offering ED25519 public key: Testkey 3 Received disconnect from ::1 port 22:2: Too many authentication failures Authentication failed. --8<---------------cut here---------------end--------------->8--- I don't know a satisfactory solution to this. Peter. PS: Could you please trim your quotes when you reply on the mailing list? -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users