SSH Agent breaks username/password SSH Authentication

wavesound
wavesound
Community Member
edited September 2023 in SSH

Starting recently, 1Password broke SSH for servers that use basic username/password authentication. These servers do not have credentials in 1Password and I don't want to store them in 1Password.

Whenever I go to login to a server, I see the following error:

user@Computer ~ % ssh username@192.168.1.1
Received disconnect from 192.168.1.1 port 22:2: Too many authentication failures

The only solution is to disable the SSH Agent in 1Password Settings -> Developer.

When will this bug get fixed?

1Password Version: 8.10.13
Extension Version: Not Provided
OS Version: macOS 13.5.1
Browser: Not Provided

Comments

  • floris_1P
    floris_1P
    edited September 2023

    You're getting this error because ssh first tries to authenticate with every key you have in the agent, and only then falls back to username/password authentication method. But also: the default SSH server configuration states that you only have 6 authentication tries in total, which can be a problem if you have too many keys in the agent.

    The good news is that you can control which authentication mechanism gets used first, using the PreferredAuthentications SSH config directive. For example, if certain hosts only support username/password auth, you can disable publickey authentication for these hosts and have them only use password authentication:

    Host somehost
    PreferredAuthentications password
  • wavesound
    wavesound
    Community Member
    edited September 2023

    @floris_1P

    I deleted a few unused keys and I'm back in business. Thank you for your answer. I'm connecting to a variety of hosts with a variety of settings so I can't simply preset PreferredAuthentications for all the random hosts I come across all the time...

    Is there any way for the 1Password agent to know what host the keys should be used on?

  • floris_1P
    floris_1P

    How keys are matched with hosts happens on the SSH client side, rather than the SSH agent side. If your hosts are dynamic, here are some tricks that might help you:

    If there is a common static part in the hosts, like a domain, you can use a wildcard * in your SSH config:

    Host *.mydomain.com
  PreferredAuthentications password

    Or if you're always connecting to these hosts using a certain script, you can add the option inline:

    ssh -o 'PreferredAuthentications=password' user@host
  • solarizde
    solarizde
    Community Member
    edited October 2023

    I have exactly the same situation, I helped myself creating a short Alias not sure if this is doable on MAC but should be.

    alias sshp='ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no $0'

    so if I want to connect to Password only hosts (in my case random switches) I use sshp manager@10.10.10.10

This discussion has been closed.