[Bug 3153] Prefer user specified keys to avoid the agent overloading MaxAuthTries before even trying the key that was specified

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Tue Sep 21 00:01:22 AEST 2021 

https://bugzilla.mindrot.org/show_bug.cgi?id=3153

--- Comment #5 from Christian Ehrhardt <christian.ehrhardt at canonical.com> ---
Hi Roumen,
I can absolutely see your POV that I'd like to summarize "if you
read/know all of the documentation you see what happens". And I can
follow your argument that from there the obvious improvement would be
to enhance the docs to be more obvious.

But if I turn it around to the users perspective I'd rather convinced
of the proposed behavior:

user-Example A)
If we describe 100 admins the following scenario:
1. ssh agent has 5 keys loaded
2. you run ssh -i ExplicitKey foo at bar
And we then ask them "Do you expect that ExplicitKey will be tried?"
I'm pretty sure the majority will answer "yes it will try ExplicitKey".

And even if you then hint at MaxAuthTries limiting the amount that can
be tried I assume that most would expect "what I specified explicitly
would go first, since after all I specified it explicitly".

user-Example B)
What currently happens to users is something like:
1. `ssh -i ExplicitKey foo at bar` works fine
2. .. N. some other actions which eventually make ssh-agent hold >=
MaxAuthTries other keys
3. `ssh -i ExplicitKey foo at bar` suddenly fails now
4. Puzzled ?!?, after a long time finding the subtle details of
Agent/MaxAuthTries and wishes that at least what he specified
explicitly would have been tried.

Improved-Messaging example C)
Turning the case around again (no offense please, this example is
phrased slightly provocative to show my point). If the behavior isn't
changed, then I'd suggest instead of a doc change that people first
have to fail, then find the doc then understand it all ...
Instead if ssh gives up failing before the key on the commandline was
even tried ssh could emit a slightly different error.
Instead of
  "Too many authentication failures"
It could say:
  "Too many authentication failures, But just so you know, the key you
thought you use wasn't even tried"

I hope that helps to clarify why I think IdentitiesOnly and/or the
documentation thereof isn't enough.
Thanks in advance,
Christian

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list