Ability to specify which key to use (otherwise: Too many authentication failures)

GudlyfGudlyf Junior Member
Community Member
edited May 3 in SSH

I was perplexed as to why I could not SSH into a system earlier today. It looks like ssh is simply trying all of the keys in my vault, one after another, though never getting to the one it needs before the server fails with "Too many authentication failures":

debug2: pubkey_prepare: done
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: foo1 RSA SHA256:... agent
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey
debug1: Offering public key: bar1 RSA SHA256:... agent
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey
debug1: Offering public key: foo2 RSA SHA256:... agent
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey
debug1: Offering public key: bar2 RSA SHA256:... agent
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey
debug1: Offering public key: foo3 RSA SHA256:... agent
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey
debug1: Offering public key: bar3 RSA SHA256:... agent
debug2: we sent a publickey packet, wait for reply
Received disconnect from x.x.x.x port 22:2: Too many authentication failures for username

Is there any way to support specifying the key to grab from the vault so that this does not happen?


1Password Version: 8.7.0
Extension Version: Not Provided
OS Version: macOS 12.3

Comments

  • billvortexbillvortex
    Community Member

    Yes, you can specify the key to use via IdentityFile in the .ssh/config file. You can view the keys by running

    SSH_AUTH_SOCK="$(readlink -f ~/Library/Group\ Containers/*.com.1password/t/agent.sock)" ssh-add -l
    

    You'll see an line per key in the form of

    KEY_SIZE SHA256:KEY_HASH FILE_NAME (KEY_TYPE)
    

    Set your IdentityFile equal to the FILE_NAME and it will use that key.

  • GudlyfGudlyf Junior Member
    Community Member

    Set your IdentityFile equal to the FILE_NAME and it will use that key.

    Hm, I see FILE_NAME is just a single word (like foo1) but adding that as IdentityFile foo1 seems to look for an actual file. Is that the correct way to define it, or do I need a path?

  • floris_1Pfloris_1P

    Team Member

    See this page on how to deal with the Too many authentication failures error. You'll have to download the public key file and use that as IdentityFile. ssh-add -l only shows the key item name.

  • GudlyfGudlyf Junior Member
    Community Member

    AW, that stinks, but I suppose it makes sense. I moved all of my SSH keys into 1Password, hoping I would no longer have my keys exposed on the filesystem. I guess I need to just go back to that. I hope 1Password figures out another solution some day!

  • GudlyfGudlyf Junior Member
    Community Member

    @floris_1P -- From the docs you linked, it says to export the public key, not the private key. That doesn't make sense -- shouldn't it be the private key?

  • floris_1Pfloris_1P

    Team Member

    @Gudlyf No, it's really the public key! That would otherwise defeat the purpose of having this built-in SSH agent 😅.

    IdentityFile is indeed most famous for its use with private keys, but you can also use with public keys, so that the private keys never have to leave the SSH agent.

  • GudlyfGudlyf Junior Member
    Community Member

    @floris_1P Yeah I figured that was the point but doing that doesn't seem to work.

    sign_and_send_pubkey: signing failed for RSA "/Users/username/.ssh/id_rsa.pub" from agent: agent refused operation [email protected]: Permission denied (publickey).

    Changing to the private key file works.

  • floris_1Pfloris_1P

    Team Member
    edited April 12

    Do you see anything appear in the 1Password logs when you run the SSH command? On macOS: ~/Library/Group Containers/2BUA8C4S2C.com.1password/Library/Application Support/1Password/Data/logs/1Password_rCURRENT.log

  • GudlyfGudlyf Junior Member
    Community Member

    @floris_1P Ah, thanks for pointing me to that. Looks like it's an older SHA-1 key we'll need to update.

  • floris_1Pfloris_1P

    Team Member

    It's not an issue with the key itself, but rather the communication mechanism between the SSH server and the SSH client when using RSA keys. If the server supports a more modern RSA algorithm (like rsa-sha2-256), you can add this snippet to your SSH config to opt out of the legacy ssh-rsa algorithm.

    HostkeyAlgorithms -ssh-rsa
    PubkeyAcceptedAlgorithms -ssh-rsa
    

    However, some servers and some clients only support ssh-rsa for RSA keys. In some cases, simply switching to an Ed25519 key is a feasible workaround. But we're also working on adding better legacy support to the SSH agent, we'll post an update in this thread when that's released.

  • zaxazzaxaz Junior Member
    Community Member

    Ok, so color me confused. What's the purpose of putting keys into 1Password and using the ssh-agent if I still have to individually configure each host in ~/.ssh/config?

    Shouldn't the ssh-agent intercept the requested host, look up the corresponding key and make the connection without my having to store my public key still in my file system and pointing to it in my config? I thought the purpose of this exercise was to make the management and storage of keys easier.

    Here's my config (obfuscated):

    Host hostshortname hostaltname
    Hostname hostshortname.mydomain.com
    IdentityFile /my/path/to/my/keystore/[email protected]

    Wouldn't it be advantageous if 1Password provided an option to store the account(s)/logins the key name applies to so all I need worry about is indicating in the 1Password key item, the login is identified so it can make the match and do its thing?

    I definitely don't want to poopoo this capability. I'm tickled to death I can keep my private keys in 1Password. I just think additional features would be great too.

  • Ekami67Ekami67
    Community Member

    I'm having the same issue with Too many authentication failures. I lost plenty of time moving everything to 1password only to discover that I had to revert what I did... This is not serious really, you could have pointed out that issue when you release your article on the subject =/

  • floris_1Pfloris_1P

    Team Member

    This is unfortunately how the SSH agent protocol works. You don't 'add keys for host XYZ', you just 'add keys' and your SSH client will try them all one by one. The SSH config is there if you want to do explicit matching, but that's only needed if you have more than 6 different keys or if you want to keep things strictly separated.

    We do see that there are a few alleys open for us to improve the experience in area, which we are currently investigating. So stay tuned!

    And @Ekami67, could you describe what there is to revert or why that's needed?

  • rodneytrodneyt
    Community Member

    This page is vital. https://developer.1password.com/docs/ssh/agent/advanced/#ssh-server-six-key-limit I wonder if the agent could be configured to output instructions to the terminal when the "Too many authentication failures" occurs. Or perhaps 1password could display a dialog.

  • floris_1Pfloris_1P

    Team Member

    Unfortunately, we don't have any control over what SSH clients log. What we are looking into is to see what we can do to more proactively warn about this.

  • digitalfizdigitalfiz
    Community Member

    Is there no way in 1password to get the same functionality we have with websites but with hostnames for ssh keys? Even if the first time it encounters a host it asks which to use like you do in the mobile apps to attach an app id to a login?

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file