- Calendar -

September 2010
Su Mo Tu We Th Fr Sa
1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30

- Archive -

2010

2009

2008

2007

2006

2005

2004

2003

- Browse By Random Tag -

See all available tags

- Most Commented -

- Random Favourites -

- Blogs I Like -

wspriLara Dwyer
MinervaGeek Gab
Colin Suni ramble...
MerryAnna
Edgerealminkspace
FaerieflyJeanie
NetdudRon Nurwisah, Boy Reporter
The Freeway Blogger 

- Email Viruses Received -

- My Geek Code -

-BEGIN GEEK CODE BLOCK-
Version: 3.12
GIT d-- s: a- C++ UL++ P+++ L+++ E--- W+++ N+ o-- K- w--- O- M-- V- PS+++ PE-- Y++ PGP t++ 5+++ X R tv b+ DI+ D++ G e h r+ y+
--END GEEK CODE BLOCK--
Get The Encoder
Get The Decoder

- My Blog Code -

-BEGIN BLOG CODE BLOCK-
B6 d+ t++ k+ s++ u-- f i++ o+ x+ e l c-- --END BLOG CODE BLOCK--
Blog Code Encoder
Blog Code Decoder

- The Internet is Cool -

General

The Environment

Fun

Political

Hacking

Consumerism

- Nifty Blog Toys -

RSS Feed

- Content License -

Creative Commons License
This work is licensed under
A Creative Commons Attribution - Noncommercial - Share Alike 2.5 Canada License

Blog

2008-11-14 00:33:15

How to Keep ssh-agent from Sticking its Nose Where it Doesn't Belong

For the longest time, I've been fighting with this problem:

$ ssh someserver.ca
Received disconnect from 123.123.123.123: 2: Too many authentication failures for username

It never asked for my password, it just flat-out failed. After some digging, I realised that the force behind this was my use of ssh-agent, a daemon that holds onto the myriad of keys (and their respective passwords) that I use to access all of my servers. It turns out that by default ssh-agent attempts to use every key you've got to access a server. However, because the destination server usually rejects login attempts > 6, the whole thing blows up before it ever gets to the "enter your password" step.

The solution is this handy one-liner in your ssh client config (~/.ssh/config or /etc/ssh/ssh_config):

  Host *
    IdentitiesOnly yes

Contrary to what you might think this means, IdentitiesOnly doesn't force the use of identities, rather it tells the client to only use identities explicitly defined for this host. This way my client uses identities assigned to a host via the config, and if one isn't set, it isn't used.

Why this isn't the default is beyond me.

pit-faulty