Dealing with SSH’s key spam problem
Recently I created a new virtual machine locally, and I tried to ssh into it.
[diablo@infinity ~]$ ssh tachikoma
Received disconnect from tachikoma: 2: Too many authentication
failures for diablo
[diablo@infinity ~]$
I didn’t put a key on tachikoma yet, and ssh didn’t ask me my password. It didn’t make any sense.
So, I ran the same command with -vvv
and realized… its sending all my identity keys to tachikoma, and the sshd on that machine is kicking the connection due to all of them failing.
What bizarre behavior.
So I dug around in the man page for ~/.ssh/config
, ssh_config
and noticed I can just add…
host *
IdentitiesOnly yes
… to force ssh to only use specifically named identities which (what I’ve been doing for years, anyways) are written like this…
host some.remote.host.com
IdentityFile ~/.ssh/id_rsa_some.remote.host.com
… or something similar. With the IdentitiesOnly
directive in there, it only sends specifically the identity keys I specify with IdentityFile
instead of spamming all the keys I have.
I’m not sure if this is a Debian-only problem (both infinity and tachikoma are Debian machines), but even though its a security feature, its kind of annoying.