Identifying one of multiple authentication subkeys

Peter Lebbing peter at digitalbrains.com
Sun Mar 17 13:12:29 CET 2019


On 17/03/2019 12:45, Brian Exelbierd wrote:
> There is no longer an identityfile to use in the .ssh/config file
> which means all auth keys are tried with all hosts.  I have multiple
> auth keys and the hosts give up after 2 or 3 failures.  How can I get
> the right key served to the right host since SSH doesn't know how to
> ask for it anymore ...

Ooohhh. I would have hoped the OpenSSH server's MaxAuthTries would only
count failed signatures, not failed key matches. But I can reproduce
this problem.

Picking an auth key is a two-step process. First the client offers
different public keys until the server says it accepts one. Only then is
authentication tried with the key that was just negotiated. But indeed,
MaxAuthTries counts every *offer* as an auth try and cuts out after 6 in
the default configuration.

--8<---------------cut here---------------start------------->8---
$ ssh -v [...]
[...]
debug1: Next authentication method: publickey
debug1: Offering ED25519 public key: /home/peter/.ssh/id_ed25519
debug1: Authentications that can continue: publickey
debug1: Offering RSA public key: /home/peter/.ssh/id_rsa
debug1: Authentications that can continue: publickey
debug1: Offering ED25519 public key: Just a comment
debug1: Authentications that can continue: publickey
debug1: Offering ED25519 public key: Testkey 1
debug1: Authentications that can continue: publickey
debug1: Offering ED25519 public key: Testkey 2
debug1: Authentications that can continue: publickey
debug1: Offering ED25519 public key: Testkey 3
Received disconnect from ::1 port 22:2: Too many authentication failures
Authentication failed.
--8<---------------cut here---------------end--------------->8---

I don't know a satisfactory solution to this.

Peter.

PS: Could you please trim your quotes when you reply on the mailing
list?

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190317/7acb02c2/attachment-0001.sig>


More information about the Gnupg-users mailing list