search for: identitieson

https://bugzilla.mindrot.org/show_bug.cgi?id=3080 Bug ID: 3080 Summary: Document IdentityFile=none and clarify interaction of defaults with IdentitiesOnly Product: Portable OpenSSH Version: 8.0p1 Hardware: Other OS: All Status: NEW Severity: normal Priority: P5 Component: Documentation Assignee: unassigned-bugs at mindrot.org Reporter: opens...

...ror message like Received disconnect from 2001:db8::8077 port 999:2: Too many authentication failures Authentication failed. AFAIU the ssh-agent is to blame here, trying out all keys he has ever seen. This conflicts with MaxAuthTries 6, set by default on the peer. The solution seems to be to set IdentitiesOnly, e.g.: : : Host host.example.com 2001:db8::8077 IdentityFile ~/.ssh/id_ecdsa IdentitiesOnly yes Port 999 : : Shouldn't an explicit IdentityFile (as in the example) *imply* IdentitiesOnly? Every helpful comment is highly appreciated Harri

https://bugzilla.mindrot.org/show_bug.cgi?id=2095 Bug ID: 2095 Summary: ssh client not respecting IdentitiesOnly=yes option Classification: Unclassified Product: Portable OpenSSH Version: 6.2p1 Hardware: All OS: All Status: NEW Severity: trivial Priority: P5 Component: ssh Assignee: unassigned-bugs at mind...

...0:41 AM, Darren Tucker wrote: > On Mon, 1 Apr 2019 at 08:12, Harald Dunkel <harald.dunkel at aixigo.de> wrote: >> I've got a moderate number of keys in my ssh config file. >> Problem: Very often I get an error message like > [...] >> The solution seems to be to set IdentitiesOnly, e.g.: > [...] >> Shouldn't an explicit IdentityFile (as in the example) *imply* >> IdentitiesOnly? > > Probably not. What version are you using? Is this key in the agent > or do you need to supply a passphrase? > My client is 7.4 or newer, but the peers might...

...report to Ubuntu [1] I was wondering that this issue seems to exist for so long and affect so many people [2][3][4][5][6][7][8]. It was also discussed within openssh in [9][10]. But in all of those cases all that was done was to suggest workarounds like "PubkeyAuthentication=no" or "IdentitiesOnly=yes", but IMHO those are all just exactly that - workarounds. Also there are many "related but not entirely the same" upstream bugs like [11][12], but it seems no one has yet discussed the approach we had in mind. If a usual user calls ssh like ssh -i <mykey> ... And gets...

...ed] User ssh-add's keys for all local and remote host groups. ~/.ssh/config: Host locala* ForwardAgent yes IdentityFile ~/.ssh/id_dsa_locala Host remotea* IdentityFile ~/.ssh/id_dsa_remotea Host remoteb* IdentityFile ~/.ssh/id_dsa_remoteb ... Host * ForwardAgent no IdentitiesOnly yes local[g][n] - local hosts [generally trusted] ssh[d]_config are the installed default, ~/.ssh/config doesn't exist. Access is via ~/.ssh/authorized_keys only. remote[g][n] - remote internet hosts [generally untrusted] ssh[d]_config are the installed default, ~/.ssh/config doesn...

https://bugzilla.mindrot.org/show_bug.cgi?id=2066 Bug ID: 2066 Summary: ssh tries the keys proposed by the agent before those passed with -i Classification: Unclassified Product: Portable OpenSSH Version: 6.0p1 Hardware: All OS: Linux Status: NEW Severity: normal

Hey everyone, I hope this isn't an old issue; I wasn't able to locate it in the archives. I have a number of scripts which make use of ssh -i and scp -i, where the target host has the specified key in its authorized_keys file with a command= override to do immediate processing of the received data. This works extremely well, as we are able to establish single-function, triggered-action

...connection, and and execute a remote git clone (via SSH), the Agent Forwarding works, and I am not prompted for credentials: ssh vagrant at 127.0.0.1 -p 2222 \ -o Compression=yes \ -o StrictHostKeyChecking=no \ -o LogLevel=FATAL \ -o StrictHostKeyChecking=no \ -o UserKnownHostsFile=/dev/null \ -o IdentitiesOnly=yes \ -i /Users/bryanhunt/.vagrant.d/insecure_private_key \ -o ForwardAgent=yes \ "/bin/sh -c 'git clone git at bitbucket.org:bryan_picsolve/poc_docker.git /home/vagrant/poc_dockera' " Cloning into '/home/vagrant/poc_dockera'... In the second instance I express the arg...

https://bugzilla.mindrot.org/show_bug.cgi?id=2024 Priority: P5 Bug ID: 2024 Assignee: unassigned-bugs at mindrot.org Summary: Allow to ssh client say to ssh-agent which key should be used. Severity: enhancement Classification: Unclassified OS: Linux Reporter: pub at mnu.pp.ru Hardware:

...--- Additional Comments From djm at mindrot.org 2004-03-30 16:12 ------- Fixed: revision 1.124 date: 2004/03/08 12:12:36; author: djm; state: Exp; lines: +2 -2 - markus at cvs.openbsd.org 2004/03/05 10:53:58 [readconf.c readconf.h scp.1 sftp.1 ssh.1 ssh_config.5 sshconnect2.c] add IdentitiesOnly; ok djm@, pb@ > IdentitiesOnly > Specifies that ssh should only use the authentication identity > files configured in the ssh_config files, even if the ssh-agent > offers more identities. The argument to this keyword must be > ``yes'' or ``no''. T...

...ntrolPath +.It ControlPersist .It DynamicForward .It EscapeChar .It ExitOnForwardFailure .It ForwardAgent .It ForwardX11 +.It ForwardX11Timeout .It ForwardX11Trusted .It GatewayPorts .It GlobalKnownHostsFile @@ -438,6 +440,7 @@ For full details of the options listed b .It IdentityFile .It IdentitiesOnly .It IPQoS +.It KbdInteractiveAuthentication .It KbdInteractiveDevices .It KexAlgorithms .It LocalCommand

...e of the cases is when configuration file contains a LogLevel=QUIET option. Lets assume that ~/.ssh/config contains: > Host 127.* > LogLevel QUIET And we have no valid key for localhost. Attempting to connect doesn't give any errors: > $ ssh -o PreferredAuthentications=publickey -o IdentitiesOnly=yes user at 127.0.0.1 > $ ssh -o LogLevel=INFO -o PreferredAuthentications=publickey -o IdentitiesOnly=yes user at 127.0.0.1 > Permission denied (publickey,password). The fix is to add LogLevel=INFO to the ssh command, which is a sane default since ssh-copy-id actually depends on ssh to ha...

https://bugzilla.mindrot.org/show_bug.cgi?id=2221 Bug ID: 2221 Summary: Explicit identity files are being used after implicit files are attempted Product: Portable OpenSSH Version: 6.2p1 Hardware: Other OS: Linux Status: NEW Severity: minor Priority: P5 Component:

...---- My setup: - locally: Linux (Debian GNU/Linux 9) - remotely Linux (RHEL Server release 7.3 (Maipo) (Maybe) relevant bits of my .ssh/config: ,---- | Host theserver | HostName XXX.XXX.XXX.XXX | ForwardX11 yes | ForwardX11Timeout 596h | IdentityFile ~/.ssh/id_rsa | IdentitiesOnly yes | ForwardAgent yes | ServerAliveInterval 300 `---- Thanks in advance for your help! Best, Andreas

...d key has previously been provided with appropriate principals (and maybe source-addresses etc). They would be configured to use something like the following in their ssh config file Host sshgw.example.com <http://sshgw.example.com/> User sshfwd ProxyJump none Host *.example.com IdentitiesOnly yes IdentityFile batcha User batcha ProxyJump batcha I can also see other potential uses for it on target computers where I only allow connections using keys signed by a trusted CA. Regards, Bret

https://bugzilla.mindrot.org/show_bug.cgi?id=1834 Summary: OpenSSH ignores keys in ~/.ssh/config and offers keys from Seahorse instead Product: Portable OpenSSH Version: 5.6p1 Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: ssh AssignedTo:

...ormation but I can't seem to find a way to only forward specific identities to some hosts. What I would really like to have is a way to only forward the identity that gave me a successful auth: % ls ~/.ssh | grep .pub id_ecdsa.pub id_ed25519.pub id_rsa.pub % cat .ssh/config Host example.com: IdentitiesOnly=yes IdentityFile=/home/tspriggs/.ssh/id_rsa.pub Host another-example.com: IdentitiesOnly=yes IdentityFile=/home/tspriggs/.ssh/id_ecdsa.pub # This would be super cool: Host * OnlyForwardAuthedKey=yes % ssh tspriggs at example.com example.com % ssh-agent -L ssh-rsa ... example.com % ssh...

...with appropriate principals (and maybe source-addresses etc). They would be configured to use something like the following in their ssh config file > > Host sshgw.example.com <http://sshgw.example.com/> > User sshfwd > ProxyJump none > > Host *.example.com > IdentitiesOnly yes > IdentityFile batcha > User batcha > ProxyJump batcha > > I can also see other potential uses for it on target computers where I only allow connections using keys signed by a trusted CA. > > Regards, > > Bret > > ______________________________...

> From: Juanito <juam at posteo.net> > > If I create a tunnel like this from the client side, > > ssh -nNTv -o ServerAliveInterval=60 -o ServerAliveCountMax=3 -o IdentitiesOnly=yes -o UserKnownHostsFile=$known_hosts_file -i /etc/sshquare/id_rsa -R $port:localhost:22 $user@$host > > would it be possible on the server side to restrict $port to say 10000 > and deny it on all other ports. In a way that $user is only allowed to > forward a local port and bind...