Skip to main content
April 4, 2022
Question

Ability to specify which key to use (otherwise: Too many authentication failures)

  • April 4, 2022
  • 39 replies
  • 10306 views

I was perplexed as to why I could not SSH into a system earlier today. It looks like ssh is simply trying all of the keys in my vault, one after another, though never getting to the one it needs before the server fails with "Too many authentication failures":


debug2: pubkey_prepare: done
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: foo1 RSA SHA256:... agent
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey
debug1: Offering public key: bar1 RSA SHA256:... agent
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey
debug1: Offering public key: foo2 RSA SHA256:... agent
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey
debug1: Offering public key: bar2 RSA SHA256:... agent
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey
debug1: Offering public key: foo3 RSA SHA256:... agent
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey
debug1: Offering public key: bar3 RSA SHA256:... agent
debug2: we sent a publickey packet, wait for reply
Received disconnect from x.x.x.x port 22:2: Too many authentication failures for username

Is there any way to support specifying the key to grab from the vault so that this does not happen?


1Password Version: 8.7.0
Extension Version: Not Provided
OS Version: macOS 12.3

39 replies

April 5, 2022

Yes, you can specify the key to use via IdentityFile in the .ssh/config file. You can view the keys by running


SSH_AUTH_SOCK="$(readlink -f ~/Library/Group\ Containers/*.com.1password/t/agent.sock)" ssh-add -l

You'll see an line per key in the form of


KEY_SIZE SHA256:KEY_HASH FILE_NAME (KEY_TYPE)

Set your IdentityFile equal to the FILE_NAME and it will use that key.

April 6, 2022

Set your IdentityFile equal to the FILE_NAME and it will use that key.

Hm, I see FILE_NAME is just a single word (like foo1) but adding that as IdentityFile foo1 seems to look for an actual file. Is that the correct way to define it, or do I need a path?

floris_1P
1Password Employee
April 7, 2022

See this page on how to deal with the Too many authentication failures error. You'll have to download the public key file and use that as IdentityFile. ssh-add -l only shows the key item name.

April 7, 2022

AW, that stinks, but I suppose it makes sense. I moved all of my SSH keys into 1Password, hoping I would no longer have my keys exposed on the filesystem. I guess I need to just go back to that. I hope 1Password figures out another solution some day!

April 11, 2022

@floris_1P -- From the docs you linked, it says to export the public key, not the private key. That doesn't make sense -- shouldn't it be the private key?

floris_1P
1Password Employee
April 12, 2022

@Gudlyf No, it's really the public key! That would otherwise defeat the purpose of having this built-in SSH agent 😅.

IdentityFile is indeed most famous for its use with private keys, but you can also use with public keys, so that the private keys never have to leave the SSH agent.

April 12, 2022

@floris_1P Yeah I figured that was the point but doing that doesn't seem to work.

sign_and_send_pubkey: signing failed for RSA "/Users/username/.ssh/id_rsa.pub" from agent: agent refused operation
user@x.x.x.x: Permission denied (publickey).

Changing to the private key file works.

floris_1P
1Password Employee
April 12, 2022

Do you see anything appear in the 1Password logs when you run the SSH command? On macOS: ~/Library/Group Containers/2BUA8C4S2C.com.1password/Library/Application Support/1Password/Data/logs/1Password_rCURRENT.log

April 12, 2022

@floris_1P Ah, thanks for pointing me to that. Looks like it's an older SHA-1 key we'll need to update.

floris_1P
1Password Employee
April 12, 2022

It's not an issue with the key itself, but rather the communication mechanism between the SSH server and the SSH client when using RSA keys. If the server supports a more modern RSA algorithm (like rsa-sha2-256), you can add this snippet to your SSH config to opt out of the legacy ssh-rsa algorithm.


HostkeyAlgorithms -ssh-rsa
PubkeyAcceptedAlgorithms -ssh-rsa

However, some servers and some clients only support ssh-rsa for RSA keys. In some cases, simply switching to an Ed25519 key is a feasible workaround. But we're also working on adding better legacy support to the SSH agent, we'll post an update in this thread when that's released.