https://bugzilla.mindrot.org/show_bug.cgi?id=3153
--- Comment #5 from Christian Ehrhardt <christian.ehrha...@canonical.com> --- Hi Roumen, I can absolutely see your POV that I'd like to summarize "if you read/know all of the documentation you see what happens". And I can follow your argument that from there the obvious improvement would be to enhance the docs to be more obvious. But if I turn it around to the users perspective I'd rather convinced of the proposed behavior: user-Example A) If we describe 100 admins the following scenario: 1. ssh agent has 5 keys loaded 2. you run ssh -i ExplicitKey foo@bar And we then ask them "Do you expect that ExplicitKey will be tried?" I'm pretty sure the majority will answer "yes it will try ExplicitKey". And even if you then hint at MaxAuthTries limiting the amount that can be tried I assume that most would expect "what I specified explicitly would go first, since after all I specified it explicitly". user-Example B) What currently happens to users is something like: 1. `ssh -i ExplicitKey foo@bar` works fine 2. .. N. some other actions which eventually make ssh-agent hold >= MaxAuthTries other keys 3. `ssh -i ExplicitKey foo@bar` suddenly fails now 4. Puzzled ?!?, after a long time finding the subtle details of Agent/MaxAuthTries and wishes that at least what he specified explicitly would have been tried. Improved-Messaging example C) Turning the case around again (no offense please, this example is phrased slightly provocative to show my point). If the behavior isn't changed, then I'd suggest instead of a doc change that people first have to fail, then find the doc then understand it all ... Instead if ssh gives up failing before the key on the commandline was even tried ssh could emit a slightly different error. Instead of "Too many authentication failures" It could say: "Too many authentication failures, But just so you know, the key you thought you use wasn't even tried" I hope that helps to clarify why I think IdentitiesOnly and/or the documentation thereof isn't enough. Thanks in advance, Christian -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. _______________________________________________ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
