{"id":896,"date":"2009-03-15T15:44:12","date_gmt":"2009-03-15T19:44:12","guid":{"rendered":"http:\/\/adterrasperaspera.com\/blog\/?p=896"},"modified":"2013-11-13T04:50:48","modified_gmt":"2013-11-13T09:50:48","slug":"dealing-with-sshs-key-spam-problem","status":"publish","type":"post","link":"https:\/\/adterrasperaspera.com\/blog\/2009\/03\/15\/dealing-with-sshs-key-spam-problem\/","title":{"rendered":"Dealing with SSH&#8217;s key spam problem"},"content":{"rendered":"<p>Recently I created a new virtual machine locally, and I tried to ssh into it.<\/p>\n<p><code>[diablo@infinity ~]$ ssh tachikoma<br \/>\nReceived disconnect from tachikoma: 2: Too many authentication<br \/>\nfailures for diablo<br \/>\n[diablo@infinity ~]$<\/code><\/p>\n<p>I didn&#8217;t put a key on tachikoma yet, and ssh didn&#8217;t ask me my password. It didn&#8217;t make any sense.<\/p>\n<p>So, I ran the same command with <code>-vvv<\/code> and realized&#8230; its sending all my identity keys to tachikoma, and the sshd on that machine is kicking the connection due to all of them failing.<\/p>\n<p>What bizarre behavior.<\/p>\n<p>So I dug around in the man page for <code>~\/.ssh\/config<\/code>, <code>ssh_config<\/code> and noticed I can just add&#8230;<\/p>\n<p><code>host *<br \/>\nIdentitiesOnly yes<br \/>\n<\/code><\/p>\n<p>&#8230; to force ssh to only use specifically named identities which (what I&#8217;ve been doing for years, anyways) are written like this&#8230;<\/p>\n<p><code>host some.remote.host.com<br \/>\nIdentityFile ~\/.ssh\/id_rsa_some.remote.host.com<br \/>\n<\/code><\/p>\n<p>&#8230; or something similar. With the <code>IdentitiesOnly<\/code> directive in there, it only sends specifically the identity keys I specify with <code>IdentityFile<\/code> instead of spamming all the keys I have.<\/p>\n<p>I&#8217;m not sure if this is a Debian-only problem (both infinity and tachikoma are Debian machines), but even though its a security feature, its kind of annoying.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Recently I created a new virtual machine locally, and I tried to ssh into it. [diablo@infinity ~]$ ssh tachikoma Received disconnect from tachikoma: 2: Too many authentication failures for diablo [diablo@infinity ~]$ I didn&#8217;t put a key on tachikoma yet, and ssh didn&#8217;t ask me my password. It didn&#8217;t make any sense. So, I ran [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[404],"tags":[],"_links":{"self":[{"href":"https:\/\/adterrasperaspera.com\/blog\/wp-json\/wp\/v2\/posts\/896"}],"collection":[{"href":"https:\/\/adterrasperaspera.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/adterrasperaspera.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/adterrasperaspera.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/adterrasperaspera.com\/blog\/wp-json\/wp\/v2\/comments?post=896"}],"version-history":[{"count":8,"href":"https:\/\/adterrasperaspera.com\/blog\/wp-json\/wp\/v2\/posts\/896\/revisions"}],"predecessor-version":[{"id":2262,"href":"https:\/\/adterrasperaspera.com\/blog\/wp-json\/wp\/v2\/posts\/896\/revisions\/2262"}],"wp:attachment":[{"href":"https:\/\/adterrasperaspera.com\/blog\/wp-json\/wp\/v2\/media?parent=896"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/adterrasperaspera.com\/blog\/wp-json\/wp\/v2\/categories?post=896"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/adterrasperaspera.com\/blog\/wp-json\/wp\/v2\/tags?post=896"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}