Skip to main content
September 7, 2023
Question

SSH Agent breaks username/password SSH Authentication

  • September 7, 2023
  • 4 replies
  • 1482 views

Starting recently, 1Password broke SSH for servers that use basic username/password authentication. These servers do not have credentials in 1Password and I don't want to store them in 1Password.

Whenever I go to login to a server, I see the following error:

user@Computer ~ % ssh mailto:username@192.168.1.1
Received disconnect from 192.168.1.1 port 22:2: Too many authentication failures

The only solution is to disable the SSH Agent in 1Password Settings -> Developer.

When will this bug get fixed?


1Password Version: 8.10.13
Extension Version: Not Provided
OS Version: macOS 13.5.1
Browser: Not Provided

4 replies

floris_1P
1Password Employee
September 7, 2023

You're getting this error because ssh first tries to authenticate with every key you have in the agent, and only then falls back to username/password authentication method. But also: the default SSH server configuration states that you only have 6 authentication tries in total, which can be a problem if you have too many keys in the agent.

The good news is that you can control which authentication mechanism gets used first, using the PreferredAuthentications SSH config directive. For example, if certain hosts only support username/password auth, you can disable publickey authentication for these hosts and have them only use password authentication:


Host somehost
PreferredAuthentications password

wavesoundAuthor
September 27, 2023

@floris_1P

I deleted a few unused keys and I'm back in business. Thank you for your answer. I'm connecting to a variety of hosts with a variety of settings so I can't simply preset PreferredAuthentications for all the random hosts I come across all the time...

Is there any way for the 1Password agent to know what host the keys should be used on?

floris_1P
1Password Employee
October 2, 2023

How keys are matched with hosts happens on the SSH client side, rather than the SSH agent side. If your hosts are dynamic, here are some tricks that might help you:

If there is a common static part in the hosts, like a domain, you can use a wildcard * in your SSH config:

Host *.mydomain.com
PreferredAuthentications password

Or if you're always connecting to these hosts using a certain script, you can add the option inline:

ssh -o 'PreferredAuthentications=password' user@host

solarizde
October 6, 2023

I have exactly the same situation, I helped myself creating a short Alias not sure if this is doable on MAC but should be.

alias sshp='ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no $0'

so if I want to connect to Password only hosts (in my case random switches) I use sshp mailto:manager@10.10.10.10