[Bug 3153] Prefer user specified keys to avoid the agent overloading MaxAuthTries before even trying the key that was specified

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Fri Apr 24 17:06:09 AEST 2020


https://bugzilla.mindrot.org/show_bug.cgi?id=3153

--- Comment #3 from Christian Ehrhardt <christian.ehrhardt at canonical.com> ---
Hi Damien,
the suggested IdentitiesOnly=explicit is interesting, but it won't
cover the part of the users that need the fix the most.

I was mostly thinking about the less experienced users - those who'd
not understand why things are failing and not know how to hunt for the
existing workarounds.
The IdentitiesOnly=explicit option would only fix it for those people
that know what is going on (as they need to set it) unless if it would
be the default config value. But as default it would break plenty of
other use cases.

But thinking about configs, maybe we'd want/need to go a step further.
Today the preference order is in the code, maybe we'd want to expose
that as a config. With my patch applied we have 6 classes of Auth to
offer.

We might apply my patch, but then revamp it completely to have the
order configurable. The following would represent the order with my
patch applied:

IdentitiesOrder=key-explicit,cert-configured,cert-other,key-agent-configured,key-agent,key-other

Everyone is welcome to bikeshed on the terms, but it actually was more
about discussing the idea :-)

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list