ssh_config: Ignore pre-existing SSH keys on the client #14646
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
sshd limits the number of authentication attempts permitted per established connection. The limit is set via the MaxAuthTries option and defaults to six attempts. Client SSH environments that define more than six SSH keys globally or in the agent would exhaust authentication attempts before they reach the algo-specified per-instance SSH private key. SSH client allows "forgetting" existing keys per connection using the IdentitiesOnly option. A client only offers an explicitly defined key when this option is set.
|
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Make algo-generated ssh_config compatible with SSH client environments with six or more client keys defined.
Motivation and Context
sshd limits the number of authentication attempts permitted per established connection. The limit is set via the MaxAuthTries option and defaults to six attempts.
Client SSH environments that define more than six SSH keys globally or in the agent would exhaust authentication attempts before they reach the algo-specified per-instance SSH private key.
SSH client allows "forgetting" existing keys per connection using the IdentitiesOnly option.
A client only offers an explicitly defined key when this option is set.
How Has This Been Tested?
The change was tested via the
-o IdentitiesOnly=yesCLI SSH option.Before:
ssh -vF configs/192.0.2.2/ssh_config algo "echo loginokay" 2>&1 | egrep -i 'loginok|authentication|public'debug1: Authentications that can continue: publickeydebug1: Next authentication method: publickeydebug1: Offering public key: [skipped] agentdebug1: Authentications that can continue: publickeydebug1: Offering public key: [skipped] agentdebug1: Authentications that can continue: publickeydebug1: Offering public key: [skipped] agentdebug1: Authentications that can continue: publickeydebug1: Offering public key: [skipped] agentdebug1: Authentications that can continue: publickeydebug1: Offering public key: [skipped] agentdebug1: Authentications that can continue: publickeydebug1: Offering public key: [skipped] agentReceived disconnect from 192.0.2.2 port 4160:2: Too many authentication failuresAfter:
ssh -o IdentitiesOnly=yes -vF configs/192.0.2.2/ssh_config algo "echo loginokay" 2>&1 | egrep -i 'loginok|authentication|public'debug1: Authentications that can continue: publickeydebug1: Next authentication method: publickeydebug1: Offering public key: [skipped]/configs/algo.pem RSA SHA256:[skipped] explicitAuthenticated to 192.0.2.2 ([192.0.2.2]:4160) using "publickey".debug1: Sending command: echo loginokayloginokayTypes of changes
Checklist: