Ordering of key offers with "ssh -i"

Tim Jackson lists at timj.co.uk
Sat Jul 25 23:21:17 EST 2009


Hi

Is it expected behaviour that when using "ssh -i", the key specified in the 
"-i" option is only sent to the server *after* trying all other keys in ~/.ssh 
? I couldn't find anything about this in the manual, and it seems like 
surprising behaviour to me. It can be the cause of unexpected failures in some 
cases, if a server has MaxAuthTries set to a value which is less than the 
number of keys that the client has available.

I'm using OpenSSH 5.2p1 on Fedora, although I've recompiled without 
Fedora-specific patches to eliminate those as the cause.

Example output where I have "key1", "key2" and "key3" in ~/.ssh, but I want to 
use a special key "specialkey" to log in to a particular server (which has 
MaxAuthTries=3):

$ ssh -i specialkey joe at ssh.example.com
...
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: key1
debug1: Authentications that can continue: publickey
debug1: Offering public key: key2
debug1: Authentications that can continue: publickey
debug1: Offering public key: key3
Received disconnect from X.Y.Z.A: 2: Too many authentication failures for joe

In this case, the client never gets to try "specialkey", despite it being 
explicitly specified.

If I temporarily remove key3:

debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: key1
debug1: Authentications that can continue: publickey
debug1: Offering public key: key2
debug1: Authentications that can continue: publickey
debug1: Offering public key: /path/to/specialkey

[success]

It seems to be something to do with the agent, because the problem doesn't 
occur if you set SSH_AUTH_SOCK to an empty string before running "ssh -i".

Thanks,

Tim


More information about the openssh-unix-dev mailing list