Re: Too many authentication failures
- From: "Richard E. Silverman" <res@xxxxxxxx>
- Date: Sat, 26 Jan 2008 22:32:34 -0500
"PH" == phil-news-nospam <phil-news-nospam@xxxxxxxx> writes:
PH> On Sun, 27 Jan 2008 09:31:08 +1100 Darren Tucker <dtucker@xxxxxxxxxxxxxxxx> wrote:
PH> | On 2008-01-25, phil-news-nospam@xxxxxxxx <phil-news-nospam@xxxxxxxx> wrote:
PH> |> On Fri, 25 Jan 2008 10:28:08 +1100 Darren Tucker <dtucker@xxxxxxxxxxxxxxxx> wrote:
PH> |>| On 2008-01-19, phil-news-nospam@xxxxxxxx <phil-news-nospam@xxxxxxxx> wrote:
PH> |>|> On Fri, 18 Jan 2008 23:24:44 GMT Darren Dunham <ddunham@xxxxxxxx> wrote:
PH> |>| [...] |>|>| So I would assume setting
PH> PreferredAuthentications to |>|>| 'keyboard-interactive,password'
PH> for that host will not attempt to send |>|>| keybased identities.
PH> |>|>
PH> |>|> Don't assume that. I never saw that feature. I can see it
PH> now since I |>|> know what name to look for from your post. It
PH> certainly wasn't the logic |>|> I was looking for. I was always
PH> grepping for "identity" or "identities" |>|> since that was
PH> clearly the thing getting in the way :-( But this makes |>|>
PH> sense. I'll try it when I get back to work on Monday. Thanks.
PH> |>|
PH> |>| Try IdentityFile and IdentitiesOnly together in ssh_config.
PH> |>
PH> |> That wouldn't achieve my goal, since it would turn password off
PH> entirely. |> What I wanted was fewer identities for certain hosts
PH> so that a password |> could be tried before the remote decided too
PH> many tries had been made.
PH> |
PH> | Did you try it? Unless I'm misunderstanding what you're trying
PH> to do, | it does exactly what you're asking for. It doesn't turn
PH> of password | authentication.
PH> If it doesn't cause ssh to use only identities, then it isn't
PH> doing what it's name clearly implies. And from what I read in
PH> (man ssh_config) it would use only identities as configured.
PH> Based on that, there would be no reason to try it, any more than
PH> any other randomly chosen option.
Unfortunately, the name is suggestive of more than one interpretation.
You are thinking that "identities only" means that it will only use
publickey authentication. Understandable given what you're looking for,
but that is not what this says:
IdentitiesOnly
Specifies that ssh(1) should only use the authentication identity
files configured in the ssh_config files, even if ssh-agent(1)
offers more identities. The argument to this keyword must be
``yes'' or ``no''. This option is intended for situations where
ssh-agent offers many different identities. The default is
``no''.
This means that, *during publickey authentication*, it will only use
identity files, and not keys available from the agent. It says nothing
about what authentication methods will be used; that is controlled
separately, as Darren indicated.
PH> --
PH> |---------------------------------------/----------------------------------|
PH> | Phil Howard KA9WGN (ka9wgn.ham.org) / Do not send to the address
PH> below | | first name lower case at ipal.net /
PH> spamtrap-2008-01-26-1831@xxxxxxxx |
PH> |------------------------------------/-------------------------------------|
--
Richard Silverman
res@xxxxxxxx
.
- Follow-Ups:
- Re: Too many authentication failures
- From: phil-news-nospam
- Re: Too many authentication failures
- References:
- Too many authentication failures
- From: phil-news-nospam
- Re: Too many authentication failures
- From: Darren Dunham
- Re: Too many authentication failures
- From: phil-news-nospam
- Re: Too many authentication failures
- From: Darren Tucker
- Re: Too many authentication failures
- From: phil-news-nospam
- Re: Too many authentication failures
- From: Darren Tucker
- Re: Too many authentication failures
- From: phil-news-nospam
- Too many authentication failures
- Prev by Date: Re: Too many authentication failures
- Next by Date: Re: Too many authentication failures
- Previous by thread: Re: Too many authentication failures
- Next by thread: Re: Too many authentication failures
- Index(es):
Relevant Pages
|
|
