Dealing with SSH’s key spam problem

Recently I created a new virtual machine locally, and I tried to ssh into it.

[diablo@infinity ~]$ ssh tachikoma
Received disconnect from tachikoma: 2: Too many authentication
failures for diablo
[diablo@infinity ~]$

I didn’t put a key on tachikoma yet, and ssh didn’t ask me my password. It didn’t make any sense.

So, I ran the same command with -vvv and realized… its sending all my identity keys to tachikoma, and the sshd on that machine is kicking the connection due to all of them failing.

What bizarre behavior.

So I dug around in the man page for ~/.ssh/config, ssh_config and noticed I can just add…

host *
IdentitiesOnly yes

… to force ssh to only use specifically named identities which (what I’ve been doing for years, anyways) are written like this…

host some.remote.host.com
IdentityFile ~/.ssh/id_rsa_some.remote.host.com

… or something similar. With the IdentitiesOnly directive in there, it only sends specifically the identity keys I specify with IdentityFile instead of spamming all the keys I have.

I’m not sure if this is a Debian-only problem (both infinity and tachikoma are Debian machines), but even though its a security feature, its kind of annoying.

Written by
Open Source software architect and technologist. He's just this guy, you know? Follow him him on Google+.
Published in
Transmissions from the Little Blue Marble

Published March 15th, 2009

Comments

Leave a Reply