Problem and Patch: Multiple keys in ssh.com V2 agent

Richard E. Silverman res at shore.net
Fri Dec 1 02:18:24 EST 2000


On Thu, 30 Nov 2000, Ulrich Kiermayr wrote:
> 
> If I have more than one key in my agent, then the agent tries to
> authenticicate me with every one of them at the OpenSSH server; but none
> of them is a valid key for that server. The Problem is that the Server
> increments the authctxt->attempt at every of that tries. So even if you
> want to login with a password at that server, you have to disable the
> agent first in order to get that chance. If the agent is running, you run
> out of tries _before_ you are able to enter a password.

This is a known issue.  I think the right thing to do is to allow
unlimited public-key checks (i.e. SSH_MSG_USERAUTH_REQUEST's with the
boolean parameter set to FALSE), but count requests that actually contain
a signature (TRUE) against the limit.  Markus agreed with me, last time we
corresponded about this.

-- 
  Richard Silverman
  slade at shore.net






More information about the openssh-unix-dev mailing list