[Bug 3153] Prefer user specified keys to avoid the agent overloading MaxAuthTries before even trying the key that was specified

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Sun May 10 00:28:07 AEST 2020


https://bugzilla.mindrot.org/show_bug.cgi?id=3153

Roumen Petrov <bugtrack at roumenpetrov.info> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |bugtrack at roumenpetrov.info

--- Comment #4 from Roumen Petrov <bugtrack at roumenpetrov.info> ---
I cannot understand what is issue with agent keys.

User start agent and adds some keys(identities). It is expected those
keys to take precedence over all other keys as they are loaded first!
Then when is started client it could add other identities.

Directive IdentitiesOnly set to yes is intended to minimize used agent
keys.


Sample:
agent with keys
  agent1
  agent2
  agent3

To simplify let assume that configuration does no add other identities.

a) client .. -i no_agent -i agent2 .. 

If IdentitiesOnly is set to yes client should try "agent2" and
"no_agent". 

b) client .. -i no_agent .. 
If IdentitiesOnly is set to yes client should try only "no_agent".


So I cannot see why IdentitiesOnly=yes is not solution.



Reading OpenSSH manual page I partially agree with first report:
----
-i identity_file
  Selects a file from which the identity (private key) for public key
authentication is read.  The default is .... Identity files may also be
specified on a per-host basis in the configuration file.  It is
possible to have multiple -i options (and multiple identities specified
in configuration files).
----

The only things missing is that ssh(1) does not suggest for more
details user to see directive IdentityFile ssh_config(5) where:
----
IdentityFile
...
 Additionally, any identities represented by the authentication agent
will be used for authentication unless IdentitiesOnly is set.
...
----

"Additionally" is not appropriate word as agent keys are loaded first
and is expected to be used first.


It seems to me this report is just documentation issue.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.


More information about the openssh-bugs mailing list