I was trying to debug an ssh problem Too many authentication failures
, and find with ssh -vv
that ssh is presenting lots of keys before falling back to try a password.
On investigation I find that these keys are added somehow with ssh-agent
running from startx
when X11 is started.
I have a lot of keys in my ~/.ssh
directory for different machines, transferred through many system updates over the years. I had not even realized that ssh-agent
was running.
I thought that ssh-add
, per the manpage, would add by default just id_dsa
, id_rsa
and identity
.
But somehow it is adding BillBrewer.pub
, JanStewer.pub
, PeterGurney.pub
, PeterDavy.pub
, DanlWhiddon
, HarryHawke.pub
, OldUncleTomCobley.pub
as well, and presenting the whole lot on every login session when I expect to give a password. So sshd on the server decides that enough is enough and disconnects.
How can I control this behaviour ? Apart from removing my extra public keys from my .ssh directory and just keeping the private ones I need, but that's always been a convenient place to keep them in the past.
For that matter, how can I stop ssh-agent running if I want to ?
Is this a security issue ( sending keys to servers that are not supposed to get them) ?
I realize that I can override it on a per-session basis
with -o PreferredAuthentications=password
but I'd prefer a systemic fix.
- more strangeness: I tried using
ssh-add -D
to remove all identities, orssh-add -d *.pub
, but when I usessh-add -l
, they are all still there.
CentOS release 6.5,
OpenSSH_5.3p1,
openssh-clients-5.3p1
Best Answer
Well first off, keys are supposed to identify the client, not the remote server. Thus you should only have a very small number of keys (such as 1).
The official
ssh-agent
utility itself will only look for a few predefined names when looking for your keys (~/.ssh/id_rsa
~/.ssh/id_dsa
~/.ssh/id_ecdsa
and~/.ssh/identity
).However there are other ssh key agents other than
ssh-agent
. You likely have a keyring daemon running (such asgnome-keyring-daemon
). The keyring daemon is likely started by your desktop environment by default. Go poking around in your desktop environment session settings to turn it off.You can also put
IdentitiesOnly=yes
in your~/.ssh/config
file, but I wouldn't consider this the "right" answer.In regards to sending extra keys to the server. No, this is not any sort of security risk.