[Bug 1872145] Re: explicit key offered after all agent keys, auth can fail before explicit key used

Christian Ehrhardt  1872145 at bugs.launchpad.net
Mon Sep 20 14:02:48 UTC 2021 

I have again updated the upstream case, but if they are not willing/convinced this won't happen as Ubuntu delta or we will have too many small scratches by being slightly different on this.
So anyone affected/requesting this please chime in on the upstream bug.

Dropping server-next as it can't be acted on as-is.

** Tags removed: server-next

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1872145

Title:
  explicit key offered after all agent keys, auth can fail before
  explicit key used

Status in portable OpenSSH:
  Unknown
Status in openssh package in Ubuntu:
  Triaged
Status in openssh package in Debian:
  New

Bug description:
  A user creates an ssh key and specifies it on the cmdline with 'ssh -i
  new_key user at host'.  The connection fails with the message "Too many
  authentication failures" displayed to the user.

  This would lead the user to believe that they failed to put the public
  portion of the new key on the destination and it will probably be hard
  for the average user to debug this.

  The root of this issue is that the user has a number of keys in
  ~/.ssh/ registered with their ssh agent.  The ssh command is offering
  each of these keys from the agent to the remote system before trying
  the explicit key from the command line.  There are enough agent keys
  to reach the failure limit (usually 5 keys) with the remote before
  they get to the explicit key.

  The solution today for the user is to head down into the ssh_config
  man page to find '-o IdentitiesOnly=yes' to skip the agent keys and
  only use the specified key.  But they're unlikely to do this because
  '-i' in the ssh man page doesn't suggest this and they'd only look for
  this if they actually understood the root cause of the problem, which
  is a bit cruel.

  We should consider changing the order of the keys offered to the
  remote to use explicit keys first followed by agent keys.  It would
  seem to me that this would honor the users intent of explicitly
  specifying a key to use.

  The current order makes this difficult for anyone fielding a user's
  authentication failure report as they must double check that ssh
  managed to actually try the key the user specified before it raised an
  error message about authentication failures.

To manage notifications about this bug go to:
https://bugs.launchpad.net/openssh/+bug/1872145/+subscriptions

More information about the foundations-bugs mailing list