Re: Too many authentication failures

On Sun, 27 Jan 2008 16:40:16 +1100 Darren Tucker <dtucker@xxxxxxxxxxxxxxxx> wrote:
| On 2008-01-27, phil-news-nospam@xxxxxxxx <phil-news-nospam@xxxxxxxx> wrote:
|> On Sun, 27 Jan 2008 09:31:08 +1100 Darren Tucker <dtucker@xxxxxxxxxxxxxxxx> wrote:
| [ about IdentityFile and IdentitiesOnly together in ssh_config. ]
|>| Did you try it? Unless I'm misunderstanding what you're trying to do,
|>| it does exactly what you're asking for. It doesn't turn of password
|>| authentication.
|>
|> If it doesn't cause ssh to use only identities, then it isn't doing what
|> it's name clearly implies.
|
| IdentitiesOnly causes ssh to use only the specified (by IdentityFile)
| public keys during public-key authentication (normally, it will try all
| of the identities offered by the agent, which is usually the cause of
| exceeding the number of attempts the server allows). It doesn't change
| whether or not public key authentication methods are attempted.
|
| Perhaps it would have been better named "SpecifiedIdentitiesOnly",
| but I guess it's a victim of a verbosity/descriptiveness tradeoff.

Or "UseAgentKeys no" ?


|> And from what I read in (man ssh_config) it
|> would use only identities as configured. Based on that, there would be
|> no reason to try it, any more than any other randomly chosen option.
|
| Other than it being suggested when you asked?

It is a frequent experience that people don't understand what I asked.
Sorry if that's not the case here. Over the history of Usenet, this does
happen a whole lot. Maybe that's also a problem of the tradeoff of
verbosity vs. not in Usenet posts. Did I explain myself well enough.
Quite often I'm not in an easy position to "just try it". Right now I
cannot until I go to work tomorrow.

Now the question, is there a reason to believe it will work? From what
you say it, I still believe not. That is because I'm not even using an
agent at all. All the keys are from the IdentityFile directives in the
config file. How is IdentitiesOnly going to change that?

The current solution is to use an entirely different config file via the
-F option, for certain hosts. And since this involves rsync running via
ssh, I intercepted the ssh command via /usr/local/bin/ssh. It parses the
command line and determines what is going on and from that which config
file to select.

--
|---------------------------------------/----------------------------------|
| Phil Howard KA9WGN (ka9wgn.ham.org) / Do not send to the address below |
| first name lower case at ipal.net / spamtrap-2008-01-27-0811@xxxxxxxx |
|------------------------------------/-------------------------------------|
.