Not sure why but setting IdentityAgent in config did nothing for me. Perhaps this is a problem with gnome-keyring being overzealous and always trying to be first.

On 11/23/2017 04:15 AM, Christopher wrote:
On Wed, Nov 22, 2017 at 6:07 PM cen <imba...@gmail.com <mailto:imba...@gmail.com>> wrote:

    Whose good idea in the history of Linux was to turn ssh agent on by
    default when one has more than 5 private keys available? This is
    what I
    just got:

    ssh -i mykey.pem user@myhost
    Received disconnect from ... port 22:2: Too many authentication
    failures
    Authentication failed.


    Then I do export SSH_AUTH_SOCK="" and surprise! I am logged in.
    And I am
    not even sure why this suddenly stopped working, I swear to God
    specifying the key used to override the agent.

    So apparently the agent even overrides my -i flag which explicitly
    specifies which key to use. Instead of taking my key as I specify, ssh
    agent will go and try every single key file in my .ssh directory and
    fail after 5 times because any sane remote ssh server will block you
    after failing so many times.


It does seem like command-line options should be used first.

    Anyone doing linux admin or dev work has more than 5 keys in their
    .ssh
    directory, rendering the agent completely USELESS PIECE OF SHIT
    PROGRAM.


I think you're being unnecessarily unfriendly. There's no need for that.

As for the number of keys, I don't know why anybody would need more than one "identity key" to identify a single individual on a single machine. I do tons of work with SSH, and I've never had more than 2, and the second was only a temporary one I created for a specific test and deleted 5 minutes later. Not that this matters... if you have need for more keys, that's up to you.


    Does everyone disable agent first thing after installing Fedora? How
    else do you even manage to survive with this crap running?


Do you mean Fedora? I suspect you mean GNOME. Specifically, gnome-keyring-daemon, which runs by default in GNOME, but I'm sure it can be disabled (never bothered to check; personally, I find it very useful, and if I didn't... I wouldn't store identity keys in it).

    Why would agent even try with other keys if I SPECIFY the goddamn key!
    It doesn't make any sense!


Why are you putting identities in the agent at all if you're not using it?
Or, why not just just set IdentityAgent to "none" in your ~/.ssh/config file if you don't want to use it? Or, use '-o IdentityAgent=none' on the command-line? Or do what you already did, and override SSH_AUTH_SOCK in your env.

    How do I turn it off in all shells for all users forever? How do I
    nuke
    this from system? .bash_profile export does not seem to cut it.


Set IdentityAgent to "none" in /etc/ssh/ssh_config
(Try 'man ssh_config' for more details)

It won't work in .bash_profile for terminals inside GNOME because GNOME sets it after you log in and your session has already started.

    Not to mention the same shit happens when you open gnome files and try
    to connect to remote location, except you can't even specify the
    key in
    the UI. It will just try a bunch of keys until you are blocked by
    remote.

    And there are numerous other programs who do this, like Filezilla.

    I just don't get it apparently..


I don't see why you're getting so upset. It's not hard to avoid using the agent if you don't want to use it. The easiest thing is to not put identities in it in the first place if you don't want them to be used. The next easiest is to change the ssh config to skip the agent. Neither are hard.

But, I do agree with you on the unintuitive nature of not trying the identity from the command-line first. I'm sure a *friendly* request or patch (emphasis on friendly... vs. how you started this thread) to do that to the openssh upstream would be happy to consider it as an improvement to the user experience. Same with GNOME Files and the upstream GNOME devs.



_______________________________________________
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

_______________________________________________
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Reply via email to