Signing back into the Community for the first time? You'll need to reset your password to access your account. Find out more.
Forum Discussion
Ability to specify which key to use (otherwise: Too many authentication failures)
I was perplexed as to why I could not SSH into a system earlier today. It looks like ssh is simply trying all of the keys in my vault, one after another, though never getting to the one it needs before the server fails with "Too many authentication failures":
debug2: pubkey_prepare: done
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: foo1 RSA SHA256:... agent
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey
debug1: Offering public key: bar1 RSA SHA256:... agent
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey
debug1: Offering public key: foo2 RSA SHA256:... agent
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey
debug1: Offering public key: bar2 RSA SHA256:... agent
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey
debug1: Offering public key: foo3 RSA SHA256:... agent
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey
debug1: Offering public key: bar3 RSA SHA256:... agent
debug2: we sent a publickey packet, wait for reply
Received disconnect from x.x.x.x port 22:2: Too many authentication failures for username
Is there any way to support specifying the key to grab from the vault so that this does not happen?
1Password Version: 8.7.0
Extension Version: Not Provided
OS Version: macOS 12.3
floris_1P Ah, thanks for pointing me to that. Looks like it's an older SHA-1 key we'll need to update.
floris_1P1Password Team
Do you see anything appear in the 1Password logs when you run the SSH command? On macOS:
~/Library/Group Containers/2BUA8C4S2C.com.1password/Library/Application Support/1Password/Data/logs/1Password_rCURRENT.logfloris_1P Yeah I figured that was the point but doing that doesn't seem to work.
sign_and_send_pubkey: signing failed for RSA "/Users/username/.ssh/id_rsa.pub" from agent: agent refused operation
user@x.x.x.x: Permission denied (publickey).Changing to the private key file works.
- floris_1P
@Gudlyf No, it's really the public key! That would otherwise defeat the purpose of having this built-in SSH agent 😅.
IdentityFileis indeed most famous for its use with private keys, but you can also use with public keys, so that the private keys never have to leave the SSH agent. floris_1P -- From the docs you linked, it says to export the public key, not the private key. That doesn't make sense -- shouldn't it be the private key?
Yes, you can specify the key to use via
IdentityFilein the.ssh/configfile. You can view the keys by running
SSH_AUTH_SOCK="$(readlink -f ~/Library/Group\ Containers/*.com.1password/t/agent.sock)" ssh-add -l
You'll see an line per key in the form of
KEY_SIZE SHA256:KEY_HASH FILE_NAME (KEY_TYPE)
Set your
IdentityFileequal to theFILE_NAMEand it will use that key.
