Jochen Bern
2021-Mar-22 09:58 UTC
Finding a resident key stored in an agent without a corresponding file?
On 21.03.21 15:36, Lars Nood?n wrote:> With six or fewer keys in the agent, assuming default MaxAuthTries in > the server, it is then only a matter of having the SSH client use the > agent and the right key will be found. However, with many keys already > in the agent, the key has to be specified explicitly or the 'wrong' keys > will get tried first.Umh, *does* every privKey that ssh "offers" (as the debug output calls it) qualify as an actual authentication attempt, and thus count against MaxAuthTries? If I may trust my everyday experience with ssh-agent and "ssh-add -c", there's no *signature* being generated with ones that were "offered" but refused. Otherwise, your request would be quite clearly in the "provide a by-use filter capability for the privKeys an ssh-agent holds" territory that was discussed - with a focus on agent *forwarding*, though - on this list a little while ago ... Regards, -- Jochen Bern Systemingenieur Binect GmbH -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3449 bytes Desc: S/MIME Cryptographic Signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20210322/ad9ae509/attachment.p7s>
Aaron Jones
2021-Mar-22 11:09 UTC
Finding a resident key stored in an agent without a corresponding file?
On 22/03/2021 09:58, Jochen Bern wrote:> Umh, *does* every privKey that ssh "offers" (as the debug output calls > it) qualify as an actual authentication attempt, and thus count against > MaxAuthTries?Yes, in my experience it does, and with a large keyring collection in the agent, or with a lot of keys located at default paths, a server with a low MaxAuthTries limit will boot me out, before I can even attempt auth, unless I specify an explicit IdentityFile= and also specify IdentitiesOnly=yes (so that it doesn't try any others, even those located at default paths). Regards, Aaron Jones -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20210322/f8dc791f/attachment-0001.asc>