Too many authentication failures - SSH

This is a discussion on Too many authentication failures - SSH ; For most of my ssh clients I need to use as many as 9 different identities. However, a few machines I need to connect to will not accept more than 6 authentication attempts. These machines also happen to not accept ...

+ Reply to Thread
Results 1 to 15 of 15

Thread: Too many authentication failures

  1. Too many authentication failures

    For most of my ssh clients I need to use as many as 9 different identities.
    However, a few machines I need to connect to will not accept more than 6
    authentication attempts. These machines also happen to not accept any of
    the identities; they are password-only (e.g. I must enter the password to
    access).

    The problem is, the ssh client attempts all the identities before attempting
    the password method, and gets disconnected before the password is even tried.
    I tried to set up a host specific entry in ~/.ssh/config for these hosts to
    give them just one identity to try (which will fail), but this just adds the
    identity to the common list; it does not override the whole list. The -i
    option has the same issue.

    The question is: How can I run the ssh client such that it will discard the
    big list of identities, either in favor of another list I could make small,
    or just not use identity files at all, so that it won't run out of attempts
    before it gets to the password attempt? I was hoping for something like
    -o 'passwordonly yes' or maybe -o 'noidentities yes' or similar. I could
    not find anything that resembled that logic.

    --
    |---------------------------------------/----------------------------------|
    | Phil Howard KA9WGN (ka9wgn.ham.org) / Do not send to the address below |
    | first name lower case at ipal.net / spamtrap-2008-01-18-1623@ipal.net |
    |------------------------------------/-------------------------------------|

  2. Re: Too many authentication failures

    phil-news-nospam@ipal.net wrote:
    > For most of my ssh clients I need to use as many as 9 different
    > identities.


    OpenSSH?

    > The question is: How can I run the ssh client such that it will discard the
    > big list of identities, either in favor of another list I could make small,
    > or just not use identity files at all, so that it won't run out of attempts
    > before it gets to the password attempt? I was hoping for something like
    > -o 'passwordonly yes' or maybe -o 'noidentities yes' or similar. I could
    > not find anything that resembled that logic.


    PreferredAuthentications
    Specifies the order in which the client should try protocol 2
    authentication methods. This allows a client to prefer one
    method (e.g. keyboard-interactive) over another method (e.g.
    password) The default for this option is: ``gssapi-with-mic,
    hostbased, publickey, keyboard-interactive, password''.

    So I would assume setting PreferredAuthentications to
    'keyboard-interactive,password' for that host will not attempt to send
    keybased identities.

    --
    Darren Dunham ddunham@taos.com
    Senior Technical Consultant TAOS http://www.taos.com/
    Got some Dr Pepper? San Francisco, CA bay area
    < This line left intentionally blank to confuse you. >

  3. Re: Too many authentication failures

    On Fri, 18 Jan 2008 23:24:44 GMT Darren Dunham wrote:

    | phil-news-nospam@ipal.net wrote:
    |> For most of my ssh clients I need to use as many as 9 different
    |> identities.
    |
    | OpenSSH?
    |
    |> The question is: How can I run the ssh client such that it will discard the
    |> big list of identities, either in favor of another list I could make small,
    |> or just not use identity files at all, so that it won't run out of attempts
    |> before it gets to the password attempt? I was hoping for something like
    |> -o 'passwordonly yes' or maybe -o 'noidentities yes' or similar. I could
    |> not find anything that resembled that logic.
    |
    | PreferredAuthentications
    | Specifies the order in which the client should try protocol 2
    | authentication methods. This allows a client to prefer one
    | method (e.g. keyboard-interactive) over another method (e.g.
    | password) The default for this option is: ``gssapi-with-mic,
    | hostbased, publickey, keyboard-interactive, password''.
    |
    | So I would assume setting PreferredAuthentications to
    | 'keyboard-interactive,password' for that host will not attempt to send
    | keybased identities.

    Don't assume that. I never saw that feature. I can see it now since I
    know what name to look for from your post. It certainly wasn't the logic
    I was looking for. I was always grepping for "identity" or "identities"
    since that was clearly the thing getting in the way :-( But this makes
    sense. I'll try it when I get back to work on Monday. Thanks.

    --
    |---------------------------------------/----------------------------------|
    | Phil Howard KA9WGN (ka9wgn.ham.org) / Do not send to the address below |
    | first name lower case at ipal.net / spamtrap-2008-01-18-2127@ipal.net |
    |------------------------------------/-------------------------------------|

  4. Re: Too many authentication failures

    phil-news-nospam@ipal.net wrote:
    > On Fri, 18 Jan 2008 23:24:44 GMT Darren Dunham wrote:


    > | So I would assume setting PreferredAuthentications to
    > | 'keyboard-interactive,password' for that host will not attempt to send
    > | keybased identities.
    >
    > Don't assume that.


    Hmm? Why not?

    > I never saw that feature. I can see it now since I know what name to
    > look for from your post. It certainly wasn't the logic I was looking
    > for.


    I doubt it's widely used.

    --
    Darren Dunham ddunham@taos.com
    Senior Technical Consultant TAOS http://www.taos.com/
    Got some Dr Pepper? San Francisco, CA bay area
    < This line left intentionally blank to confuse you. >

  5. Re: Too many authentication failures

    On Mon, 21 Jan 2008 16:48:38 GMT Darren Dunham wrote:
    | phil-news-nospam@ipal.net wrote:
    |> On Fri, 18 Jan 2008 23:24:44 GMT Darren Dunham wrote:
    |
    |> | So I would assume setting PreferredAuthentications to
    |> | 'keyboard-interactive,password' for that host will not attempt to send
    |> | keybased identities.
    |>
    |> Don't assume that.
    |
    | Hmm? Why not?

    What I am saying is I didn't try it because I didn't see it.

    |
    |> I never saw that feature. I can see it now since I know what name to
    |> look for from your post. It certainly wasn't the logic I was looking
    |> for.
    |
    | I doubt it's widely used.

    It just didn't exactly fit what I was thinking of when I saw the problem
    with the identities. What my thinking was is that when I specify them,
    it should _replace_ the entire list with the list I give. If I give a
    list (even of one) under a section for just a host, it should not use any
    of those in the common section. Likewise if I specify one or more -i
    options on the command line, it should not use any from the config file.
    That was my focus in looking for a solution. Obviously it was an overly
    narrow focus. I'd still prefer to have this kind of thing to keep the
    identities list under control.

    --
    |---------------------------------------/----------------------------------|
    | Phil Howard KA9WGN (ka9wgn.ham.org) / Do not send to the address below |
    | first name lower case at ipal.net / spamtrap-2008-01-21-2313@ipal.net |
    |------------------------------------/-------------------------------------|

  6. Re: Too many authentication failures

    On 2008-01-19, phil-news-nospam@ipal.net wrote:
    > On Fri, 18 Jan 2008 23:24:44 GMT Darren Dunham wrote:

    [...]
    >| So I would assume setting PreferredAuthentications to
    >| 'keyboard-interactive,password' for that host will not attempt to send
    >| keybased identities.
    >
    > Don't assume that. I never saw that feature. I can see it now since I
    > know what name to look for from your post. It certainly wasn't the logic
    > I was looking for. I was always grepping for "identity" or "identities"
    > since that was clearly the thing getting in the way :-( But this makes
    > sense. I'll try it when I get back to work on Monday. Thanks.


    Try IdentityFile and IdentitiesOnly together in ssh_config.

    --
    Darren Tucker (dtucker at zip.com.au)
    GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
    usually comes from bad judgement.

  7. Re: Too many authentication failures

    On Fri, 25 Jan 2008 10:28:08 +1100 Darren Tucker wrote:
    | On 2008-01-19, phil-news-nospam@ipal.net wrote:
    |> On Fri, 18 Jan 2008 23:24:44 GMT Darren Dunham wrote:
    | [...]
    |>| So I would assume setting PreferredAuthentications to
    |>| 'keyboard-interactive,password' for that host will not attempt to send
    |>| keybased identities.
    |>
    |> Don't assume that. I never saw that feature. I can see it now since I
    |> know what name to look for from your post. It certainly wasn't the logic
    |> I was looking for. I was always grepping for "identity" or "identities"
    |> since that was clearly the thing getting in the way :-( But this makes
    |> sense. I'll try it when I get back to work on Monday. Thanks.
    |
    | Try IdentityFile and IdentitiesOnly together in ssh_config.

    That wouldn't achieve my goal, since it would turn password off entirely.
    What I wanted was fewer identities for certain hosts so that a password
    could be tried before the remote decided too many tries had been made.

    My thinking logic didn't consider the possibility of putting passwords
    before identites as PreferredAuthentications would do. What I wanted to
    see was an option I could put in the section for a specific host that
    would cause for that host all the common identities to not be used, and
    only use just the list given. Likewise, an option on the command line
    could do similar.

    Here's an idea how it could be done without adding a new option. Create
    a special string that could be given as if it were a file name for an
    identity file. Go ahead and collect identities in the usual way. When
    this particular string ie encountered in the list of identities, then
    treat the list of identites as having come to an end, ignore remaining
    identities, and move on to whatever other authentication type is next.
    A string like "/dev/null" could be used, but some more meaningful string
    might be better, such as "ENDID". It should work regardless of how the
    string got into the list. If file names are checked _as_ they get added
    to the list, these special cases need to be skipped at that phase.

    I think I will use the -F option to get around the issue.

    --
    |---------------------------------------/----------------------------------|
    | Phil Howard KA9WGN (ka9wgn.ham.org) / Do not send to the address below |
    | first name lower case at ipal.net / spamtrap-2008-01-25-0824@ipal.net |
    |------------------------------------/-------------------------------------|

  8. Re: Too many authentication failures

    On 2008-01-25, phil-news-nospam@ipal.net wrote:
    > On Fri, 25 Jan 2008 10:28:08 +1100 Darren Tucker wrote:
    >| On 2008-01-19, phil-news-nospam@ipal.net wrote:
    >|> On Fri, 18 Jan 2008 23:24:44 GMT Darren Dunham wrote:
    >| [...]
    >|>| So I would assume setting PreferredAuthentications to
    >|>| 'keyboard-interactive,password' for that host will not attempt to send
    >|>| keybased identities.
    >|>
    >|> Don't assume that. I never saw that feature. I can see it now since I
    >|> know what name to look for from your post. It certainly wasn't the logic
    >|> I was looking for. I was always grepping for "identity" or "identities"
    >|> since that was clearly the thing getting in the way :-( But this makes
    >|> sense. I'll try it when I get back to work on Monday. Thanks.
    >|
    >| Try IdentityFile and IdentitiesOnly together in ssh_config.
    >
    > That wouldn't achieve my goal, since it would turn password off entirely.
    > What I wanted was fewer identities for certain hosts so that a password
    > could be tried before the remote decided too many tries had been made.


    Did you try it? Unless I'm misunderstanding what you're trying to do,
    it does exactly what you're asking for. It doesn't turn of password
    authentication.

    --
    Darren Tucker (dtucker at zip.com.au)
    GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
    usually comes from bad judgement.

  9. Re: Too many authentication failures

    On Sun, 27 Jan 2008 09:31:08 +1100 Darren Tucker wrote:
    | On 2008-01-25, phil-news-nospam@ipal.net wrote:
    |> On Fri, 25 Jan 2008 10:28:08 +1100 Darren Tucker wrote:
    |>| On 2008-01-19, phil-news-nospam@ipal.net wrote:
    |>|> On Fri, 18 Jan 2008 23:24:44 GMT Darren Dunham wrote:
    |>| [...]
    |>|>| So I would assume setting PreferredAuthentications to
    |>|>| 'keyboard-interactive,password' for that host will not attempt to send
    |>|>| keybased identities.
    |>|>
    |>|> Don't assume that. I never saw that feature. I can see it now since I
    |>|> know what name to look for from your post. It certainly wasn't the logic
    |>|> I was looking for. I was always grepping for "identity" or "identities"
    |>|> since that was clearly the thing getting in the way :-( But this makes
    |>|> sense. I'll try it when I get back to work on Monday. Thanks.
    |>|
    |>| Try IdentityFile and IdentitiesOnly together in ssh_config.
    |>
    |> That wouldn't achieve my goal, since it would turn password off entirely.
    |> What I wanted was fewer identities for certain hosts so that a password
    |> could be tried before the remote decided too many tries had been made.
    |
    | Did you try it? Unless I'm misunderstanding what you're trying to do,
    | it does exactly what you're asking for. It doesn't turn of password
    | authentication.

    If it doesn't cause ssh to use only identities, then it isn't doing what
    it's name clearly implies. And from what I read in (man ssh_config) it
    would use only identities as configured. Based on that, there would be
    no reason to try it, any more than any other randomly chosen option.

    --
    |---------------------------------------/----------------------------------|
    | Phil Howard KA9WGN (ka9wgn.ham.org) / Do not send to the address below |
    | first name lower case at ipal.net / spamtrap-2008-01-26-1831@ipal.net |
    |------------------------------------/-------------------------------------|

  10. Re: Too many authentication failures

    >>>>> "PH" == phil-news-nospam writes:

    PH> On Sun, 27 Jan 2008 09:31:08 +1100 Darren Tucker wrote:
    PH> | On 2008-01-25, phil-news-nospam@ipal.net wrote:
    PH> |> On Fri, 25 Jan 2008 10:28:08 +1100 Darren Tucker wrote:
    PH> |>| On 2008-01-19, phil-news-nospam@ipal.net wrote:
    PH> |>|> On Fri, 18 Jan 2008 23:24:44 GMT Darren Dunham wrote:
    PH> |>| [...] |>|>| So I would assume setting
    PH> PreferredAuthentications to |>|>| 'keyboard-interactive,password'
    PH> for that host will not attempt to send |>|>| keybased identities.
    PH> |>|>
    PH> |>|> Don't assume that. I never saw that feature. I can see it
    PH> now since I |>|> know what name to look for from your post. It
    PH> certainly wasn't the logic |>|> I was looking for. I was always
    PH> grepping for "identity" or "identities" |>|> since that was
    PH> clearly the thing getting in the way :-( But this makes |>|>
    PH> sense. I'll try it when I get back to work on Monday. Thanks.
    PH> |>|
    PH> |>| Try IdentityFile and IdentitiesOnly together in ssh_config.
    PH> |>
    PH> |> That wouldn't achieve my goal, since it would turn password off
    PH> entirely. |> What I wanted was fewer identities for certain hosts
    PH> so that a password |> could be tried before the remote decided too
    PH> many tries had been made.
    PH> |
    PH> | Did you try it? Unless I'm misunderstanding what you're trying
    PH> to do, | it does exactly what you're asking for. It doesn't turn
    PH> of password | authentication.

    PH> If it doesn't cause ssh to use only identities, then it isn't
    PH> doing what it's name clearly implies. And from what I read in
    PH> (man ssh_config) it would use only identities as configured.
    PH> Based on that, there would be no reason to try it, any more than
    PH> any other randomly chosen option.

    Unfortunately, the name is suggestive of more than one interpretation.
    You are thinking that "identities only" means that it will only use
    publickey authentication. Understandable given what you're looking for,
    but that is not what this says:

    IdentitiesOnly
    Specifies that ssh(1) should only use the authentication identity
    files configured in the ssh_config files, even if ssh-agent(1)
    offers more identities. The argument to this keyword must be
    ``yes'' or ``no''. This option is intended for situations where
    ssh-agent offers many different identities. The default is
    ``no''.

    This means that, *during publickey authentication*, it will only use
    identity files, and not keys available from the agent. It says nothing
    about what authentication methods will be used; that is controlled
    separately, as Darren indicated.

    PH> --
    PH> |---------------------------------------/----------------------------------|
    PH> | Phil Howard KA9WGN (ka9wgn.ham.org) / Do not send to the address
    PH> below | | first name lower case at ipal.net /
    PH> spamtrap-2008-01-26-1831@ipal.net |
    PH> |------------------------------------/-------------------------------------|

    --
    Richard Silverman
    res@qoxp.net


  11. Re: Too many authentication failures

    On 2008-01-27, phil-news-nospam@ipal.net wrote:
    > On Sun, 27 Jan 2008 09:31:08 +1100 Darren Tucker wrote:

    [ about IdentityFile and IdentitiesOnly together in ssh_config. ]
    >| Did you try it? Unless I'm misunderstanding what you're trying to do,
    >| it does exactly what you're asking for. It doesn't turn of password
    >| authentication.
    >
    > If it doesn't cause ssh to use only identities, then it isn't doing what
    > it's name clearly implies.


    IdentitiesOnly causes ssh to use only the specified (by IdentityFile)
    public keys during public-key authentication (normally, it will try all
    of the identities offered by the agent, which is usually the cause of
    exceeding the number of attempts the server allows). It doesn't change
    whether or not public key authentication methods are attempted.

    Perhaps it would have been better named "SpecifiedIdentitiesOnly",
    but I guess it's a victim of a verbosity/descriptiveness tradeoff.

    > And from what I read in (man ssh_config) it
    > would use only identities as configured. Based on that, there would be
    > no reason to try it, any more than any other randomly chosen option.


    Other than it being suggested when you asked?

    --
    Darren Tucker (dtucker at zip.com.au)
    GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
    usually comes from bad judgement.

  12. Re: Too many authentication failures

    On Sun, 27 Jan 2008 16:40:16 +1100 Darren Tucker wrote:
    | On 2008-01-27, phil-news-nospam@ipal.net wrote:
    |> On Sun, 27 Jan 2008 09:31:08 +1100 Darren Tucker wrote:
    | [ about IdentityFile and IdentitiesOnly together in ssh_config. ]
    |>| Did you try it? Unless I'm misunderstanding what you're trying to do,
    |>| it does exactly what you're asking for. It doesn't turn of password
    |>| authentication.
    |>
    |> If it doesn't cause ssh to use only identities, then it isn't doing what
    |> it's name clearly implies.
    |
    | IdentitiesOnly causes ssh to use only the specified (by IdentityFile)
    | public keys during public-key authentication (normally, it will try all
    | of the identities offered by the agent, which is usually the cause of
    | exceeding the number of attempts the server allows). It doesn't change
    | whether or not public key authentication methods are attempted.
    |
    | Perhaps it would have been better named "SpecifiedIdentitiesOnly",
    | but I guess it's a victim of a verbosity/descriptiveness tradeoff.

    Or "UseAgentKeys no" ?


    |> And from what I read in (man ssh_config) it
    |> would use only identities as configured. Based on that, there would be
    |> no reason to try it, any more than any other randomly chosen option.
    |
    | Other than it being suggested when you asked?

    It is a frequent experience that people don't understand what I asked.
    Sorry if that's not the case here. Over the history of Usenet, this does
    happen a whole lot. Maybe that's also a problem of the tradeoff of
    verbosity vs. not in Usenet posts. Did I explain myself well enough.
    Quite often I'm not in an easy position to "just try it". Right now I
    cannot until I go to work tomorrow.

    Now the question, is there a reason to believe it will work? From what
    you say it, I still believe not. That is because I'm not even using an
    agent at all. All the keys are from the IdentityFile directives in the
    config file. How is IdentitiesOnly going to change that?

    The current solution is to use an entirely different config file via the
    -F option, for certain hosts. And since this involves rsync running via
    ssh, I intercepted the ssh command via /usr/local/bin/ssh. It parses the
    command line and determines what is going on and from that which config
    file to select.

    --
    |---------------------------------------/----------------------------------|
    | Phil Howard KA9WGN (ka9wgn.ham.org) / Do not send to the address below |
    | first name lower case at ipal.net / spamtrap-2008-01-27-0811@ipal.net |
    |------------------------------------/-------------------------------------|

  13. Re: Too many authentication failures

    On Sat, 26 Jan 2008 22:32:34 -0500 Richard E. Silverman wrote:

    | Unfortunately, the name is suggestive of more than one interpretation.
    | You are thinking that "identities only" means that it will only use
    | publickey authentication. Understandable given what you're looking for,
    | but that is not what this says:
    |
    | IdentitiesOnly
    | Specifies that ssh(1) should only use the authentication identity
    | files configured in the ssh_config files, even if ssh-agent(1)
    | offers more identities. The argument to this keyword must be
    | ``yes'' or ``no''. This option is intended for situations where
    | ssh-agent offers many different identities. The default is
    | ``no''.
    |
    | This means that, *during publickey authentication*, it will only use
    | identity files, and not keys available from the agent. It says nothing
    | about what authentication methods will be used; that is controlled
    | separately, as Darren indicated.

    And this changes things for me, someone not using an agent at all, in what
    way? How will this reduce the number of identity keys when all of them are
    specified in the common part of the config file (when trying to do it all
    in one config file)?

    As long as I can have PreferredAuthentications one way in the common part
    of the config file, and have it differently in a host specific section,
    quite unlike how IdentityFile is handled (it doesn't replpace, it adds on),
    then PreferredAuthentications can work. Or else I stick with the -F option
    workaround.

    --
    |---------------------------------------/----------------------------------|
    | Phil Howard KA9WGN (ka9wgn.ham.org) / Do not send to the address below |
    | first name lower case at ipal.net / spamtrap-2008-01-27-0821@ipal.net |
    |------------------------------------/-------------------------------------|

  14. Re: Too many authentication failures

    On 2008-01-27, phil-news-nospam@ipal.net wrote:
    > On Sun, 27 Jan 2008 16:40:16 +1100 Darren Tucker wrote:

    [...]
    >| Perhaps it would have been better named "SpecifiedIdentitiesOnly",
    >| but I guess it's a victim of a verbosity/descriptiveness tradeoff.
    >
    > Or "UseAgentKeys no" ?


    That would be misleading, it will use keys from the agent, but only the
    ones specified by IdentityFile (ie you can load a bunch of keys into
    the agent and pick which one to use per-host.

    >|> And from what I read in (man ssh_config) it
    >|> would use only identities as configured. Based on that, there would be
    >|> no reason to try it, any more than any other randomly chosen option.
    >|
    >| Other than it being suggested when you asked?
    >
    > It is a frequent experience that people don't understand what I asked.
    > Sorry if that's not the case here. Over the history of Usenet, this does
    > happen a whole lot. Maybe that's also a problem of the tradeoff of
    > verbosity vs. not in Usenet posts. Did I explain myself well enough.
    > Quite often I'm not in an easy position to "just try it". Right now I
    > cannot until I go to work tomorrow.
    >
    > Now the question, is there a reason to believe it will work? From what
    > you say it, I still believe not. That is because I'm not even using an
    > agent at all. All the keys are from the IdentityFile directives in the
    > config file. How is IdentitiesOnly going to change that?


    It won't. I didn't realise from your earlier messages that you were not
    using the agent. In that case, PreferredAuthentications will also do
    what you want.

    Maybe there should be a way to clear the IdentityFile list (eg
    "IdentityFile none").

    --
    Darren Tucker (dtucker at zip.com.au)
    GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
    usually comes from bad judgement.

  15. Re: Too many authentication failures

    On Mon, 28 Jan 2008 17:41:37 +1100 Darren Tucker wrote:
    | On 2008-01-27, phil-news-nospam@ipal.net wrote:
    |> On Sun, 27 Jan 2008 16:40:16 +1100 Darren Tucker wrote:
    | [...]
    |>| Perhaps it would have been better named "SpecifiedIdentitiesOnly",
    |>| but I guess it's a victim of a verbosity/descriptiveness tradeoff.
    |>
    |> Or "UseAgentKeys no" ?
    |
    | That would be misleading, it will use keys from the agent, but only the
    | ones specified by IdentityFile (ie you can load a bunch of keys into
    | the agent and pick which one to use per-host.

    Well, maybe once I use the agent, I will come up with a better idea.


    |>|> And from what I read in (man ssh_config) it
    |>|> would use only identities as configured. Based on that, there would be
    |>|> no reason to try it, any more than any other randomly chosen option.
    |>|
    |>| Other than it being suggested when you asked?
    |>
    |> It is a frequent experience that people don't understand what I asked.
    |> Sorry if that's not the case here. Over the history of Usenet, this does
    |> happen a whole lot. Maybe that's also a problem of the tradeoff of
    |> verbosity vs. not in Usenet posts. Did I explain myself well enough.
    |> Quite often I'm not in an easy position to "just try it". Right now I
    |> cannot until I go to work tomorrow.
    |>
    |> Now the question, is there a reason to believe it will work? From what
    |> you say it, I still believe not. That is because I'm not even using an
    |> agent at all. All the keys are from the IdentityFile directives in the
    |> config file. How is IdentitiesOnly going to change that?
    |
    | It won't. I didn't realise from your earlier messages that you were not
    | using the agent. In that case, PreferredAuthentications will also do
    | what you want.
    |
    | Maybe there should be a way to clear the IdentityFile list (eg
    | "IdentityFile none").

    Yes, that would help. It would make sense in a section of the config file
    for specific hosts. It could simply mean, not to use any of the files in
    the common part of the config file. Likewise, an option on the command line,
    though in theory -o and the config directive could still do it, followed by
    the identities actually wanted, if any.

    --
    |---------------------------------------/----------------------------------|
    | Phil Howard KA9WGN (ka9wgn.ham.org) / Do not send to the address below |
    | first name lower case at ipal.net / spamtrap-2008-01-28-2213@ipal.net |
    |------------------------------------/-------------------------------------|

+ Reply to Thread