Re: "too many auth failures"?

[James Cloos <cloos%jhcloos.com@localhost>]

>>>>> "PG" == Peter Gutmann <pgut001%cs.auckland.ac.nz@localhost> writes:

PG> I don't think it is.  If you've set the server up to allow three
PG> tries at auth then you get three tries (I'm assuming it's set up to
PG> allow six here, which is a bit non-traditional, I would have
PG> expected three).  Stepping back a bit, why are you sending *six*
PG> keys to the server?  Shouldn't the client know which key it's
PG> supposed to use?  It seems more like the client is broken than the
PG> server.

I only use openssh clients.  I can’t speak for other implementations.

If you have speparate key pairs for specific remote sites, it is very
easy to end up with several keys loaded into ssh-agent(1).

Ssh(1) will try the key specificed on the command line or in the config
files for the specified remote host, if any.  Should that fail, it then
tries every key in the agent in the order they were ssh-add(1)ed.

It seems clear that few if any of the early implementers used more than
one rsa, one dsa and one ssh1 key per account back when the v2 protocol
worked its way through this working group.  Else this issue would have
been on the radar back then.

One implmentation fix would be a way to say not only ‘use this private
key for that set of server(s)’, but also ‘use this private key for ONLY
that set of server(s)’.  I’m not aware of a way to do that in openssh’s
config files.

-JimC
-- 
James Cloos <cloos%jhcloos.com@localhost>         OpenPGP: 1024D/ED7DAEA6