Whose good idea in the history of Linux was to turn ssh agent on by default when one has more than 5 private keys available? This is what I just got:
ssh -i mykey.pem user@myhost Received disconnect from ... port 22:2: Too many authentication failures Authentication failed.
Then I do export SSH_AUTH_SOCK="" and surprise! I am logged in. And I am not even sure why this suddenly stopped working, I swear to God specifying the key used to override the agent.
So apparently the agent even overrides my -i flag which explicitly specifies which key to use. Instead of taking my key as I specify, ssh agent will go and try every single key file in my .ssh directory and fail after 5 times because any sane remote ssh server will block you after failing so many times.
Anyone doing linux admin or dev work has more than 5 keys in their .ssh directory, rendering the agent completely USELESS PIECE OF SHIT PROGRAM.
Does everyone disable agent first thing after installing Fedora? How else do you even manage to survive with this crap running?
Why would agent even try with other keys if I SPECIFY the goddamn key! It doesn't make any sense!
How do I turn it off in all shells for all users forever? How do I nuke this from system? .bash_profile export does not seem to cut it.
Not to mention the same shit happens when you open gnome files and try to connect to remote location, except you can't even specify the key in the UI. It will just try a bunch of keys until you are blocked by remote.
And there are numerous other programs who do this, like Filezilla.
I just don't get it apparently..
Tom Horsley wrote:
On Thu, 23 Nov 2017 00:06:11 +0100 cen wrote:
Anyone doing linux admin or dev work has more than 5 keys in their .ssh directory, rendering the agent completely USELESS PIECE OF SHIT PROGRAM.
Why? I do lots of linux admin work and I only have two keys.
I use a different key for each organization I'm working for/with. I have a personal key, one for Fedora packaging, one for github, another for bitbucket, and several for different companies where I perform admin work.
You can certainly use one or two keys for all of that, but I don't think it's the best practice to do so. Not everyone feels the same, but it's far from unusual to have quite a few keys.
This is not just Fedora specific behavior. I ran into this a few days ago on a Mac after adding a bunch of keys to my agent (one per AWS region). Even if you specify a key with “-i” it will still go for the agent, resulting in an Auth failure. Not sure if specifying a key in the config will over ride it though, I didn’t try that.
The fact that SSH prioritizes the agent over a manually specified key definitely smells like an upstream bug though. That’s not just counter intuitive that’s a blatant disregard of an explicit command specified by the user.
Cheers! Eric
On Nov 22, 2017, at 19:33, Todd Zullinger tmz@pobox.com wrote:
Tom Horsley wrote:
On Thu, 23 Nov 2017 00:06:11 +0100 cen wrote:
Anyone doing linux admin or dev work has more than 5 keys in their .ssh directory, rendering the agent completely USELESS PIECE OF SHIT PROGRAM.
Why? I do lots of linux admin work and I only have two keys.
I use a different key for each organization I'm working for/with. I have a personal key, one for Fedora packaging, one for github, another for bitbucket, and several for different companies where I perform admin work.
You can certainly use one or two keys for all of that, but I don't think it's the best practice to do so. Not everyone feels the same, but it's far from unusual to have quite a few keys.
-- Todd
If people are good only because they fear punishment, and hope for reward, then we are a sorry lot indeed. -- Albert Einstein _______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org
According to other replies gnome-keyring is involved so perhaps the fault lies in that. I doubt upstream ssh guys would override cli options with agent. Cli is usually the highest order of priority. I will try to investigate further and try to pinpoint the blame.
For now I managed to completely disable it system wide by adding export SSH_AUTH_SOCK="" in a /etc/profile.d script.
On 11/23/2017 04:18 AM, Eric Griffith wrote:
This is not just Fedora specific behavior. I ran into this a few days ago on a Mac after adding a bunch of keys to my agent (one per AWS region). Even if you specify a key with “-i” it will still go for the agent, resulting in an Auth failure. Not sure if specifying a key in the config will over ride it though, I didn’t try that.
The fact that SSH prioritizes the agent over a manually specified key definitely smells like an upstream bug though. That’s not just counter intuitive that’s a blatant disregard of an explicit command specified by the user.
Cheers! Eric
On Nov 22, 2017, at 19:33, Todd Zullinger <tmz@pobox.com mailto:tmz@pobox.com> wrote:
Tom Horsley wrote:
On Thu, 23 Nov 2017 00:06:11 +0100 cen wrote:
Anyone doing linux admin or dev work has more than 5 keys in their .ssh directory, rendering the agent completely USELESS PIECE OF SHIT PROGRAM.
Why? I do lots of linux admin work and I only have two keys.
I use a different key for each organization I'm working for/with. I have a personal key, one for Fedora packaging, one for github, another for bitbucket, and several for different companies where I perform admin work.
You can certainly use one or two keys for all of that, but I don't think it's the best practice to do so. Not everyone feels the same, but it's far from unusual to have quite a few keys.
-- Todd
If people are good only because they fear punishment, and hope for reward, then we are a sorry lot indeed. -- Albert Einstein _______________________________________________ users mailing list -- users@lists.fedoraproject.org <mailto:users@lists.fedoraproject.org> To unsubscribe send an email to users-leave@lists.fedoraproject.org <mailto:users-leave@lists.fedoraproject.org>
users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org
On 11/23/2017 03:20 AM, cen wrote:
According to other replies gnome-keyring is involved so perhaps the fault lies in that. I doubt upstream ssh guys would override cli options with agent.
Nonsense. GNOME provides *an* agent, it doesn't modify ssh. The ssh client decides what order to attempt authentication methods.
For now I managed to completely disable it system wide by adding export SSH_AUTH_SOCK="" in a /etc/profile.d script.
If you don't want your ssh keys to be used automatically, the least-effort fix it simply to not store them in .ssh. Keys stored elsewhere can be specified on the command line, but won't be loaded automatically by the GNOME keyring application.
The SSH agent is an important component of secure SSH use. You *should* keep your keys encrypted on disk (even if your filesystem itself is encrypted). The agent makes it viable to use secure passphrases with keys that you use frequently, eliminating the barrier to use that typing the passphrase frequently presents. It also allows you to forward your agent connection with SSH sessions, so that you can hop from host to host without copying private keys to the intermediate hosts.
On 23Nov2017 00:06, cen imbacen@gmail.com wrote:
Whose good idea in the history of Linux was to turn ssh agent on by default when one has more than 5 private keys available? This is what I just got:
ssh -i mykey.pem user@myhost Received disconnect from ... port 22:2: Too many authentication failures Authentication failed.
Then I do export SSH_AUTH_SOCK="" and surprise! I am logged in. And I am not even sure why this suddenly stopped working, I swear to God specifying the key used to override the agent.
No, as far as I recall it merely uses that key in addition to the agent. What gets used first might depend on the key types, too.
Have you experimented with specifying the key file in the ssh_config for whatever hosts require that key? Don't forget that the .ssh/config file accepts shell style globs in the Host clause names, quite handy for some things. Example from mine:
Host *-direct ControlPath none
Adjust to suit.
I keep a no-ssh-agent wrapper script around to run commands without access to my agent. Usage:
no-ssh-agent some-ssh-stuff ...
So apparently the agent even overrides my -i flag which explicitly specifies which key to use. Instead of taking my key as I specify, ssh agent will go and try every single key file in my .ssh directory and fail after 5 times because any sane remote ssh server will block you after failing so many times.
Have you examined the output of "ssh -v" for this connection? Have you confirmed that your -i key is being offered after all your agent keys?
Anyone doing linux admin or dev work has more than 5 keys in their .ssh directory, rendering the agent completely USELESS PIECE OF SHIT PROGRAM.
Actually, no.
I've been doing that kind of work (admin and dev) for decades and I don't think I've ever had as many a 5 keys in my agents. I've got 4 right now, 3 being my personal keys (rsa, dsa, ed25519) to accomodate different key type acceptance and 1 special key for a third party project I'm working on right now. I could probably get my personal keys down to 2 if I spent a little time auditing my target hosts.
Does everyone disable agent first thing after installing Fedora? How else do you even manage to survive with this crap running?
Shrug. I live mostly on a Mac right now, which also provides a shared agent for your desktop. Quite handy really.
Why would agent even try with other keys if I SPECIFY the goddamn key! It doesn't make any sense!
I am surprised that it tries the agent keys before the -i key; have you verified this with an "ssh -v"?
How do I turn it off in all shells for all users forever?
Don't. Turn it off for your own shells perhaps, probably in your .bashrc.
How do I nuke this from system? .bash_profile export does not seem to cut it.
Surprising. I thought the Fedora bashrc sourced the bash_profile.
Cheers, Cameron Simpson cs@cskk.id.au (formerly cs@zip.com.au)
I did use -v and it does use other keys first. It probably uses my key down the road but you can never see that because remote blocks you before it happens.
On 11/23/2017 01:53 AM, Cameron Simpson wrote:
On 23Nov2017 00:06, cen imbacen@gmail.com wrote:
Whose good idea in the history of Linux was to turn ssh agent on by default when one has more than 5 private keys available? This is what I just got:
ssh -i mykey.pem user@myhost Received disconnect from ... port 22:2: Too many authentication failures Authentication failed.
Then I do export SSH_AUTH_SOCK="" and surprise! I am logged in. And I am not even sure why this suddenly stopped working, I swear to God specifying the key used to override the agent.
No, as far as I recall it merely uses that key in addition to the agent. What gets used first might depend on the key types, too.
Have you experimented with specifying the key file in the ssh_config for whatever hosts require that key? Don't forget that the .ssh/config file accepts shell style globs in the Host clause names, quite handy for some things. Example from mine:
Host *-direct ControlPath none
Adjust to suit.
I keep a no-ssh-agent wrapper script around to run commands without access to my agent. Usage:
no-ssh-agent some-ssh-stuff ...
So apparently the agent even overrides my -i flag which explicitly specifies which key to use. Instead of taking my key as I specify, ssh agent will go and try every single key file in my .ssh directory and fail after 5 times because any sane remote ssh server will block you after failing so many times.
Have you examined the output of "ssh -v" for this connection? Have you confirmed that your -i key is being offered after all your agent keys?
Anyone doing linux admin or dev work has more than 5 keys in their .ssh directory, rendering the agent completely USELESS PIECE OF SHIT PROGRAM.
Actually, no.
I've been doing that kind of work (admin and dev) for decades and I don't think I've ever had as many a 5 keys in my agents. I've got 4 right now, 3 being my personal keys (rsa, dsa, ed25519) to accomodate different key type acceptance and 1 special key for a third party project I'm working on right now. I could probably get my personal keys down to 2 if I spent a little time auditing my target hosts.
Does everyone disable agent first thing after installing Fedora? How else do you even manage to survive with this crap running?
Shrug. I live mostly on a Mac right now, which also provides a shared agent for your desktop. Quite handy really.
Why would agent even try with other keys if I SPECIFY the goddamn key! It doesn't make any sense!
I am surprised that it tries the agent keys before the -i key; have you verified this with an "ssh -v"?
How do I turn it off in all shells for all users forever?
Don't. Turn it off for your own shells perhaps, probably in your .bashrc.
How do I nuke this from system? .bash_profile export does not seem to cut it.
Surprising. I thought the Fedora bashrc sourced the bash_profile.
Cheers, Cameron Simpson cs@cskk.id.au (formerly cs@zip.com.au) _______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org
cen wrote:
Anyone doing linux admin or dev work has more than 5 keys in their .ssh directory, rendering the agent completely USELESS PIECE OF SHIT PROGRAM.
Not at all. It just requires some config to handle that well. :)
Does everyone disable agent first thing after installing Fedora? How else do you even manage to survive with this crap running?
The agent is great. It certainly can be annoying with many keys, some of which is made worse by the agent being provided not by ssh but by gnome-keyring-daemon, I think.
Why would agent even try with other keys if I SPECIFY the goddamn key! It doesn't make any sense!
There is a way to avoid this though, using the IdentitiesOnly option in the ssh config:
Host *.example.com IdentityFile ~/.ssh/id_rsa_example_com
Host *.example.net IdentityFile ~/.ssh/id_rsa_example_net
Host * IdentitiesOnly yes IdentityFile ~/.ssh/id_rsa
Maybe that will be helpful as an alternative to disabling the agent entirely.
I tried IdentitiesOnly and it worked but it also disables password login which I sometimes need.
On 11/23/2017 02:29 AM, Todd Zullinger wrote:
cen wrote:
Anyone doing linux admin or dev work has more than 5 keys in their .ssh directory, rendering the agent completely USELESS PIECE OF SHIT PROGRAM.
Not at all. It just requires some config to handle that well. :)
Does everyone disable agent first thing after installing Fedora? How else do you even manage to survive with this crap running?
The agent is great. It certainly can be annoying with many keys, some of which is made worse by the agent being provided not by ssh but by gnome-keyring-daemon, I think.
Why would agent even try with other keys if I SPECIFY the goddamn key! It doesn't make any sense!
There is a way to avoid this though, using the IdentitiesOnly option in the ssh config:
Host *.example.com IdentityFile ~/.ssh/id_rsa_example_com
Host *.example.net IdentityFile ~/.ssh/id_rsa_example_net
Host * IdentitiesOnly yes IdentityFile ~/.ssh/id_rsa
Maybe that will be helpful as an alternative to disabling the agent entirely.
users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org
On Wed, Nov 22, 2017 at 6:07 PM cen imbacen@gmail.com wrote:
Whose good idea in the history of Linux was to turn ssh agent on by default when one has more than 5 private keys available? This is what I just got:
ssh -i mykey.pem user@myhost Received disconnect from ... port 22:2: Too many authentication failures Authentication failed.
Then I do export SSH_AUTH_SOCK="" and surprise! I am logged in. And I am not even sure why this suddenly stopped working, I swear to God specifying the key used to override the agent.
So apparently the agent even overrides my -i flag which explicitly specifies which key to use. Instead of taking my key as I specify, ssh agent will go and try every single key file in my .ssh directory and fail after 5 times because any sane remote ssh server will block you after failing so many times.
It does seem like command-line options should be used first.
Anyone doing linux admin or dev work has more than 5 keys in their .ssh directory, rendering the agent completely USELESS PIECE OF SHIT PROGRAM.
I think you're being unnecessarily unfriendly. There's no need for that.
As for the number of keys, I don't know why anybody would need more than one "identity key" to identify a single individual on a single machine. I do tons of work with SSH, and I've never had more than 2, and the second was only a temporary one I created for a specific test and deleted 5 minutes later. Not that this matters... if you have need for more keys, that's up to you.
Does everyone disable agent first thing after installing Fedora? How else do you even manage to survive with this crap running?
Do you mean Fedora? I suspect you mean GNOME. Specifically, gnome-keyring-daemon, which runs by default in GNOME, but I'm sure it can be disabled (never bothered to check; personally, I find it very useful, and if I didn't... I wouldn't store identity keys in it).
Why would agent even try with other keys if I SPECIFY the goddamn key! It doesn't make any sense!
Why are you putting identities in the agent at all if you're not using it? Or, why not just just set IdentityAgent to "none" in your ~/.ssh/config file if you don't want to use it? Or, use '-o IdentityAgent=none' on the command-line? Or do what you already did, and override SSH_AUTH_SOCK in your env.
How do I turn it off in all shells for all users forever? How do I nuke this from system? .bash_profile export does not seem to cut it.
Set IdentityAgent to "none" in /etc/ssh/ssh_config (Try 'man ssh_config' for more details)
It won't work in .bash_profile for terminals inside GNOME because GNOME sets it after you log in and your session has already started.
Not to mention the same shit happens when you open gnome files and try to connect to remote location, except you can't even specify the key in the UI. It will just try a bunch of keys until you are blocked by remote.
And there are numerous other programs who do this, like Filezilla.
I just don't get it apparently..
I don't see why you're getting so upset. It's not hard to avoid using the agent if you don't want to use it. The easiest thing is to not put identities in it in the first place if you don't want them to be used. The next easiest is to change the ssh config to skip the agent. Neither are hard.
But, I do agree with you on the unintuitive nature of not trying the identity from the command-line first. I'm sure a *friendly* request or patch (emphasis on friendly... vs. how you started this thread) to do that to the openssh upstream would be happy to consider it as an improvement to the user experience. Same with GNOME Files and the upstream GNOME devs.
Not sure why but setting IdentityAgent in config did nothing for me. Perhaps this is a problem with gnome-keyring being overzealous and always trying to be first.
On 11/23/2017 04:15 AM, Christopher wrote:
On Wed, Nov 22, 2017 at 6:07 PM cen <imbacen@gmail.com mailto:imbacen@gmail.com> wrote:
Whose good idea in the history of Linux was to turn ssh agent on by default when one has more than 5 private keys available? This is what I just got: ssh -i mykey.pem user@myhost Received disconnect from ... port 22:2: Too many authentication failures Authentication failed. Then I do export SSH_AUTH_SOCK="" and surprise! I am logged in. And I am not even sure why this suddenly stopped working, I swear to God specifying the key used to override the agent. So apparently the agent even overrides my -i flag which explicitly specifies which key to use. Instead of taking my key as I specify, ssh agent will go and try every single key file in my .ssh directory and fail after 5 times because any sane remote ssh server will block you after failing so many times.It does seem like command-line options should be used first.
Anyone doing linux admin or dev work has more than 5 keys in their .ssh directory, rendering the agent completely USELESS PIECE OF SHIT PROGRAM.I think you're being unnecessarily unfriendly. There's no need for that.
As for the number of keys, I don't know why anybody would need more than one "identity key" to identify a single individual on a single machine. I do tons of work with SSH, and I've never had more than 2, and the second was only a temporary one I created for a specific test and deleted 5 minutes later. Not that this matters... if you have need for more keys, that's up to you.
Does everyone disable agent first thing after installing Fedora? How else do you even manage to survive with this crap running?Do you mean Fedora? I suspect you mean GNOME. Specifically, gnome-keyring-daemon, which runs by default in GNOME, but I'm sure it can be disabled (never bothered to check; personally, I find it very useful, and if I didn't... I wouldn't store identity keys in it).
Why would agent even try with other keys if I SPECIFY the goddamn key! It doesn't make any sense!Why are you putting identities in the agent at all if you're not using it? Or, why not just just set IdentityAgent to "none" in your ~/.ssh/config file if you don't want to use it? Or, use '-o IdentityAgent=none' on the command-line? Or do what you already did, and override SSH_AUTH_SOCK in your env.
How do I turn it off in all shells for all users forever? How do I nuke this from system? .bash_profile export does not seem to cut it.Set IdentityAgent to "none" in /etc/ssh/ssh_config (Try 'man ssh_config' for more details)
It won't work in .bash_profile for terminals inside GNOME because GNOME sets it after you log in and your session has already started.
Not to mention the same shit happens when you open gnome files and try to connect to remote location, except you can't even specify the key in the UI. It will just try a bunch of keys until you are blocked by remote. And there are numerous other programs who do this, like Filezilla. I just don't get it apparently..I don't see why you're getting so upset. It's not hard to avoid using the agent if you don't want to use it. The easiest thing is to not put identities in it in the first place if you don't want them to be used. The next easiest is to change the ssh config to skip the agent. Neither are hard.
But, I do agree with you on the unintuitive nature of not trying the identity from the command-line first. I'm sure a *friendly* request or patch (emphasis on friendly... vs. how you started this thread) to do that to the openssh upstream would be happy to consider it as an improvement to the user experience. Same with GNOME Files and the upstream GNOME devs.
users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org
-
Cameron Simpson -
cen -
Christopher -
Eric Griffith -
Gordon Messmer -
Todd Zullinger -
Tom Horsley