[Bug 1872145] [NEW] explicit key offered after all agent keys, auth fails before explicit key used

Fri, 10 Apr 2020 14:11:26 -0700 

Public bug reported:

A user creates an ssh key and specifies it on the cmdline with 'ssh -i
new_key user@host'.  The connection fails with the message "Too many
authentication failures" displayed to the user.

This would lead the user to believe that they failed to put the public
portion of the new key on the destination and it will probably be hard
for the average user to debug this.

The root of this issue is that the user has a number of keys in ~/.ssh/
registered with their ssh agent.  The ssh command is offering each of
these keys from the agent to the remote system before trying the
explicit key from the command line.  There are enough agent keys to
reach the failure limit (usually 5 keys) with the remote before they get
to the explicit key.

The solution today for the user is to head down into the ssh_config man
page to find '-o IdentitiesOnly=yes' to skip the agent keys and only use
the specified key.  But they're unlikely to do this because '-i' in the
ssh man page doesn't suggest this and they'd only look for this if they
actually understood the root cause of the problem, which is a bit cruel.

We should consider changing the order of the keys offered to the remote
to use explicit keys first followed by agent keys.  It would seem to me
that this would honor the users intent of explicitly specifying a key to
use.

The current order makes this difficult for anyone fielding a user's
authentication failure report as they must double check that ssh managed
to actually try the key the user specified before it raised an error
message about authentication failures.

** Affects: openssh (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1872145

Title:
  explicit key offered after all agent keys, auth fails before explicit
  key used

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1872145/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to