0

At some time in the past whenever I tried an ssh connection to a server without specifying the password ssh would try all the keys in ssh-agent to the point where if there were too many keys, my IP address could be barred for too many connection failures.

The behaviour seems to have changed in that even if there is a single valid key in the ssh-agent list I have to include it in the command, eg ssh -i ~/.ssh/alternate-key user@host.

Is this due to some change configuration setting or a change in the behaviour of the ssh executable itself.

Improve this question
5
  • I think you should debug more. Testing the different keys should not cause new connections. Commented Dec 3, 2024 at 13:53
  • What is the SSH version of your client and the server you are connecting to, and (if you still know) what was it before the changed behavior? Commented Dec 3, 2024 at 14:36
  • Is the key actually loaded to the agent? Check with ssh-add -l. Commented Dec 12, 2024 at 22:10
  • It turns out there the ~/.ssh/config file had IdentitiesOnly Yes at the top of the file and this was apparently the cause of the behaviour. Commented Dec 13, 2024 at 8:32
  • 1
    It seems you have added a solution to the question text and also tagged the title with "SOLVED". I will revert this as the same text is available in your separate self-answer (more or less). Since you have accepted an answer (your own), the question is automatically marked as resolved, so no extra tagging in the title is needed. Commented Dec 13, 2024 at 8:52

2 Answers 2

Reset to default
1

even if there is a single valid key in the ssh-agent list I have to include it in the command, eg ssh -i ~/.ssh/alternate-key user@host

Using the -i option makes the ssh command use the key directly, bypassing the agent. The need to use that option would suggest that the agent is not working as expected.

Are you sure your SSH_AUTH_SOCK environment variable points to the socket of the correct agent? For example, Debian has gpg-agent that can also act as a SSH agent (with somewhat different behavior than the OpenSSH ssh-agent), and in some versions of Debian (and possibly other related distributions?) it might even be enabled by default if installed, depending on the choice of desktop environment.

There can even be multiple competing SSH agents started as part of your login session. Because of the environment variable semantics, that usually means the most recently started agent "wins".

If the agent socket's pathname (in SSH_AUTH_SOCK environment variable) ends with .../agent.<PID>, then the socket is probably either created by OpenSSH ssh-agent or you are using agent forwarding over a SSH session and the PID points to the sshd child process that started your current session.

If the agent socket's pathname ends with .../gnupg/S.gpg-agent.ssh, then last started SSH agent is actually the SSH agent subsystem of the gpg-agent. If so, then the ~/.gnupg/sshcontrol file controls which keys will be used for agent-assisted SSH protocol negotiations, and any entered passphrases will eventually time out, resulting in "sudo-like" behavior with SSH key passphrases: you can have multiple SSH authentications in succession after typing the key passphrase only once, but if a long time has passed since the previous agent-assisted key authentication, the gpg-agent will prompt for the key passphrase again.

Improve this answer
1

After seeing that the behaviour was as expected on another user account I realized that the ~/.ssh/config file of the account in question had IdentitiesOnly Yes at the top of the file, and commenting it out fixed the behaviour.

Why IdentitiesOnly Yes should override the behaviour of keys loaded in ssh-agent is something I will take time to look up, but it must be perfectly logical.

Improve this answer
2
  • 2
    well, the man page entry for IdentitiesOnly says "Specifies that ssh(1) should only use the configured authentication identity and certificate files (either the default files, or those explicitly configured in [...]), even if ssh-agent(1) [or ...] offers more identities. The argument to this keyword must be yes or no (the default). This option is intended for situations where ssh-agent offers many different identities.", i.e. that's exactly what it's suppposed to do and it's exactly for avoiding offering too many keys. (The name is a bit odd, though, IMO.) Commented Dec 13, 2024 at 11:21
  • also e.g. tecmint.com/fix-ssh-too-many-authentication-failures-error mentions that exact issue of the agent giving too many keys to offer Commented Dec 13, 2024 at 11:22

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.