Home / server / Questions / 139870
Accepted
Amandasaurus
Asked: 2010-05-09 08:58:44 +0800 CST

Stop ssh client from offering all the public keys it can find?

  • 772

Like most sysadmins I use openssh all the time. I have about a dozen ssh keys, I like to have a different ssh key for each host. However this causes a problem when I am connecting to a host for the first time, and all I have is a password. I want to just connect to the host using a password, no ssh key in this case. However the ssh client will offer all the public keys in my ~/.ssh/ (I know this from looking at the output of ssh -v). Since I have so many, I will get disconnected for too many authentication failures.

Is there some way to tell my ssh client to not offer all the ssh keys?

ssh public-key private-key

5 Answers

  1. Although others have hinted at this with configuration-based solutions, it's probably worth pointing out that you can easily do this one-time-only on the command line with:

    ssh -o 'PubkeyAuthentication no' myhostname.mydomain
    • 52
  2. Best Answer

    This is expected behaviour according to the man page of ssh_config:

     IdentityFile
         Specifies a file from which the user's DSA, ECDSA or DSA authentica‐
         tion identity is read.  The default is ~/.ssh/identity for protocol
         version 1, and ~/.ssh/id_dsa, ~/.ssh/id_ecdsa and ~/.ssh/id_rsa for
         protocol version 2.  Additionally, any identities represented by the
         authentication agent will be used for authentication.  

         [...]

         It is possible to have multiple identity files specified in configu‐
         ration files; all these identities will be tried in sequence.  Mul‐
         tiple IdentityFile directives will add to the list of identities
         tried (this behaviour differs from that of other configuration
         directives).

    Basically, specifying IdentityFiles just adds keys to a current list the SSH agent already presented to the client.

    Try overriding this behaviour with this at the bottom of your .ssh/config file:

    Host *
  IdentitiesOnly yes

    You can also override this setting on the host level, e.g.:

    Host foo
  User bar
  IdentityFile /path/to/key
  IdentitiesOnly yes
    • 48

  3. Following James Sneeringer's solution, you might just want to set an ssh_config along the lines of:

    Host *.mycompany.com
  IdentityFile .ssh/id_dsa_mycompany_main

Host *.mycustomer.com
  IdentityFile .ssh/id_dsa_mycustomer

Host *
  RSAAuthentication no #this should be up top, avoid ssh1 at all costs
  PubkeyAuthentication no

    If you connect with a particular key to many machines not in a common domain, consider giving them all CNAMEs in your own DNS. I do this with all customer systems.

    • 13

  4. Similar to user23413's solution, you can disable public key authentication altogether for a particular host (or wildcard pattern):

    Host *.example.org
RSAAuthentication no        # SSHv1
PubkeyAuthentication no     # SSHv2
    • 2

  5. If you point to a particular key file with ssh -i /path/to/key it'll only use that one even if others are loaded into the agent, and you won't be prompted for the password. You can also edit you ~/.ssh/config and ad something like this...

    Host foo.example.com
    IdentityFile .ssh/id_rsa_foo.example.com

    you can also do...

    Host *.example.org
    IdentityFile .ssh/id_rsa_example.org

    • -1