Still no activity in the upstream issue, however I think OpenSSH 8.9 offers a mechanism that can help avoiding hitting MaxAuthTries in some cases: "destination constraints", see documentation for -h in ssh- add(1). AIUI constraining should limit the number of keys tried against a given host, making reaching MaxAuthTries more difficult. More info:
https://www.openssh.com/agent-restrict.html https://lwn.net/Articles/880458/ It is not clear to me if setting destination constraints also affects the order in which keys are tried (narrower scope => higher priority). Another workaround is preventing ssh to reach the agent: SSH_AUTH_SOCK= ssh -i <keyfile> <user@host> -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1872145 Title: explicit key offered after all agent keys, auth can fail before explicit key used Status in portable OpenSSH: Unknown Status in openssh package in Ubuntu: Triaged Status in openssh package in Debian: New Bug description: A user creates an ssh key and specifies it on the cmdline with 'ssh -i new_key user@host'. The connection fails with the message "Too many authentication failures" displayed to the user. This would lead the user to believe that they failed to put the public portion of the new key on the destination and it will probably be hard for the average user to debug this. The root of this issue is that the user has a number of keys in ~/.ssh/ registered with their ssh agent. The ssh command is offering each of these keys from the agent to the remote system before trying the explicit key from the command line. There are enough agent keys to reach the failure limit (usually 5 keys) with the remote before they get to the explicit key. The solution today for the user is to head down into the ssh_config man page to find '-o IdentitiesOnly=yes' to skip the agent keys and only use the specified key. But they're unlikely to do this because '-i' in the ssh man page doesn't suggest this and they'd only look for this if they actually understood the root cause of the problem, which is a bit cruel. We should consider changing the order of the keys offered to the remote to use explicit keys first followed by agent keys. It would seem to me that this would honor the users intent of explicitly specifying a key to use. The current order makes this difficult for anyone fielding a user's authentication failure report as they must double check that ssh managed to actually try the key the user specified before it raised an error message about authentication failures. To manage notifications about this bug go to: https://bugs.launchpad.net/openssh/+bug/1872145/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
