Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. OpenSSH>
  3. Bugs
[Bug 3153] Prefer user specified keys to avoid the agent overloading MaxAuthTries before even trying the key that was specified
bugzilla-daemon at mindrot
Apr 22, 2020, 11:40 PM
Post #1 of 3 (301 views)
Permalink
https://bugzilla.mindrot.org/show_bug.cgi?id=3153

--- Comment #1 from Christian Ehrhardt <christian.ehrhardt@canonical.com> ---
Example effect of the patch:

Former behavior on a server with MaxAuthTries 4 the explicitly
specified key would not have been tried:

$ ssh -i /tmp/testkey -v horsea "echo 1" |& grep "Will attempt"
debug1: Will attempt key: /home/paelzer/.ssh/id_rsa RSA ... agent
debug1: Will attempt key: ubuntu@cpaelzer-bastion RSA ... agent
debug1: Will attempt key: paelzer@lap RSA ... agent
debug1: Will attempt key: paelzer@swarm.n RSA ... agent
debug1: Will attempt key: /tmp/testkey RSA ... explicit

With the change becomes this and works:

$ ssh -i /tmp/testkey -v horsea "echo 1" |& grep "Will attempt"
debug1: Will attempt key: /tmp/testkey RSA ... explicit
debug1: Will attempt key: /home/paelzer/.ssh/id_rsa RSA ... agent
debug1: Will attempt key: ubuntu@cpaelzer-bastion RSA ... agent
debug1: Will attempt key: paelzer@lap RSA ... agent
debug1: Will attempt key: paelzer@swarm.n RSA ... agent

--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3153] Prefer user specified keys to avoid the agent overloading MaxAuthTries before even trying the key that was specified [ In reply to ]
bugzilla-daemon at mindrot
Apr 23, 2020, 9:58 PM
Post #2 of 3 (299 views)
Permalink
https://bugzilla.mindrot.org/show_bug.cgi?id=3153

Damien Miller <djm@mindrot.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |djm@mindrot.org

--- Comment #2 from Damien Miller <djm@mindrot.org> ---
Created attachment 3387
--> https://bugzilla.mindrot.org/attachment.cgi?id=3387&action=edit
identitiesOnly=explicit

maybe we could do something like this: allow IdentitiesOnly=explicit to
disable adding agent keys that aren't explicitly listed as
IdentityFiles/-i

--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3153] Prefer user specified keys to avoid the agent overloading MaxAuthTries before even trying the key that was specified [ In reply to ]
bugzilla-daemon at mindrot
Apr 24, 2020, 12:06 AM
Post #3 of 3 (299 views)
Permalink
https://bugzilla.mindrot.org/show_bug.cgi?id=3153

--- Comment #3 from Christian Ehrhardt <christian.ehrhardt@canonical.com> ---
Hi Damien,
the suggested IdentitiesOnly=explicit is interesting, but it won't
cover the part of the users that need the fix the most.

I was mostly thinking about the less experienced users - those who'd
not understand why things are failing and not know how to hunt for the
existing workarounds.
The IdentitiesOnly=explicit option would only fix it for those people
that know what is going on (as they need to set it) unless if it would
be the default config value. But as default it would break plenty of
other use cases.

But thinking about configs, maybe we'd want/need to go a step further.
Today the preference order is in the code, maybe we'd want to expose
that as a config. With my patch applied we have 6 classes of Auth to
offer.

We might apply my patch, but then revamp it completely to have the
order configurable. The following would represent the order with my
patch applied:

IdentitiesOrder=key-explicit,cert-configured,cert-other,key-agent-configured,key-agent,key-other

Everyone is welcome to bikeshed on the terms, but it actually was more
about discussing the idea :-)

--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal