Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MSSH uses all keys within the ssh-agent, rather than the generated key, causing logins to fail. #10

Closed
brennentsmith opened this issue Oct 17, 2019 · 2 comments
Closed

MSSH uses all keys within the ssh-agent, rather than the generated key, causing logins to fail. #10

brennentsmith opened this issue Oct 17, 2019 · 2 comments

Comments

@brennentsmith
Copy link

brennentsmith commented Oct 17, 2019
edited
Loading

Mssh only uses the -i flag, which instructs SSH to use the SSH key generated by the command. However, this still includes keys within the SSH agent and the included key is appended to the end of the list. This ends in a case such as:

ssh -v -i .ssh/mssh-test-key
...
debug1: Will attempt key: /Users/brennen/.ssh/id_rsa RSA SHA256:aq5DfI03U0cg3R2ldH1J6fkgvhhvlkiSVvwlKj3UUy4 explicit agent
debug1: Will attempt key:  RSA SHA256:KCLZa00/5k0r/+eUA4XjTy0mSK+J1VTymgCI7MoppQk agent
debug1: Will attempt key:  RSA SHA256:N0Y0a7S9D9kpRiMCWfvde1VpsfRvTdC3tZOB6AYt6C8 agent
debug1: Will attempt key:  RSA SHA256:4/uxFtPhd/pGLfgR757fTUE9hM4ugELRTbhV6uHhoe0 agent
debug1: Will attempt key:  RSA SHA256:pRB0RCJ0Vy4GsXyaWmOHNPsX2khLdYsj3FupVqN5WTw agent
debug1: Will attempt key:  RSA SHA256:m1gvgtql3w1ss+htr+PbfbYiATHCAkbuQeO8IDTWSp4 agent
debug1: Will attempt key: .ssh/mssh-test-key RSA SHA256:owkdvBu50fefHr5a79gewBpr2WH6z6WQPOwvU6aKDdc explicit

The key defined with the -i flag is added to the list last. This causes failures to login as SSH is configured on AMZN Linux to drop a connection after 5 failures.

The SSH option IdentitiesOnly=yes ensures that only the files defined in the ssh config file and the explicit identity are used.

ssh -v -i .ssh/mssh-test-key -o "IdentitiesOnly=yes"
...
debug1: Will attempt key: /Users/brennen/.ssh/id_rsa RSA SHA256:aq5DfI03U0cg3R2ldH1J6fkgvhhvlkiSVvwlKj3UUy4 explicit agent
debug1: Will attempt key: .ssh/mssh-test-key RSA SHA256:owkdvBu50fefHr5a79gewBpr2WH6z6WQPOwvU6aKDdc explicit

This ensures that the mssh command uses the mssh generated key and does not fail.
@rcj4747
Copy link

rcj4747 commented Apr 10, 2020

This really would be best to add. Otherwise when you get user reports of failures you can't know that it even failed with the key you're generating. I will file a bug upstream in Ubuntu (my OS of choice) to consider trying explicit keys before keys from the agent, but the cli should add '-o IdentitiesOnly=yes' to ensure the ephemeral key (and only the ephemeral key) is used for the connection.

@rcj4747 rcj4747 mentioned this issue Apr 10, 2020
Merged
@CptTZ
Copy link
Contributor

CptTZ commented Apr 10, 2020

Thanks for the feedback!

We are working on explicitly specifying IdentitiesOnly=yes when calling ssh, however we are still discussing internally on potential side-effects of this approach.

For a quick workaround - as mentioned in #15, you can add extra parameters and mssh will pass it to ssh, e.g. mssh ec2-user@i-1234567890abcd -o "IdentitiesOnly=yes"

@CptTZ CptTZ closed this as completed in 0ec6857 Jun 29, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rcj4747 @brennentsmith @CptTZ