Signing back into the Community for the first time? You'll need to reset your password to access your account. Find out more.
Forum Discussion
Former Member
3 years agoAbility to specify which key to use (otherwise: Too many authentication failures)
I was perplexed as to why I could not SSH into a system earlier today. It looks like ssh is simply trying all of the keys in my vault, one after another, though never getting to the one it needs before the server fails with "Too many authentication failures":
debug2: pubkey_prepare: done
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: foo1 RSA SHA256:... agent
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey
debug1: Offering public key: bar1 RSA SHA256:... agent
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey
debug1: Offering public key: foo2 RSA SHA256:... agent
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey
debug1: Offering public key: bar2 RSA SHA256:... agent
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey
debug1: Offering public key: foo3 RSA SHA256:... agent
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey
debug1: Offering public key: bar3 RSA SHA256:... agent
debug2: we sent a publickey packet, wait for reply
Received disconnect from x.x.x.x port 22:2: Too many authentication failures for username
Is there any way to support specifying the key to grab from the vault so that this does not happen?
1Password Version: 8.7.0
Extension Version: Not Provided
OS Version: macOS 12.3
- Jack_P_1P
1Password Team
Thanks for sharing @yboulkaid! 🙂
As Jody mentioned, we're actively looking to make using 1Password SSH Agent better for those with many keys, so keep an eye out!
Jack
- Jack_P_1P
1Password Team
Hi @jenssgb and @Ekami67:
As of yesterday, 1Password for desktop now includes the ability to better customize which keys are used: SSH agent config file | Developer Documentation
Jack
- Former Member
Yes, you can specify the key to use via
IdentityFile
in the.ssh/config
file. You can view the keys by running
SSH_AUTH_SOCK="$(readlink -f ~/Library/Group\ Containers/*.com.1password/t/agent.sock)" ssh-add -l
You'll see an line per key in the form of
KEY_SIZE SHA256:KEY_HASH FILE_NAME (KEY_TYPE)
Set your
IdentityFile
equal to theFILE_NAME
and it will use that key. - Former Member
Set your
IdentityFile
equal to theFILE_NAME
and it will use that key.Hm, I see
FILE_NAME
is just a single word (likefoo1
) but adding that asIdentityFile foo1
seems to look for an actual file. Is that the correct way to define it, or do I need a path? - Former Member
AW, that stinks, but I suppose it makes sense. I moved all of my SSH keys into 1Password, hoping I would no longer have my keys exposed on the filesystem. I guess I need to just go back to that. I hope 1Password figures out another solution some day!
- Former Member
floris_1P -- From the docs you linked, it says to export the public key, not the private key. That doesn't make sense -- shouldn't it be the private key?
- floris_1P
1Password Team
@Gudlyf No, it's really the public key! That would otherwise defeat the purpose of having this built-in SSH agent 😅.
IdentityFile
is indeed most famous for its use with private keys, but you can also use with public keys, so that the private keys never have to leave the SSH agent. - Former Member
floris_1P Yeah I figured that was the point but doing that doesn't seem to work.
sign_and_send_pubkey: signing failed for RSA "/Users/username/.ssh/id_rsa.pub" from agent: agent refused operation
user@x.x.x.x: Permission denied (publickey).Changing to the private key file works.
- floris_1P
1Password Team
Do you see anything appear in the 1Password logs when you run the SSH command? On macOS:
~/Library/Group Containers/2BUA8C4S2C.com.1password/Library/Application Support/1Password/Data/logs/1Password_rCURRENT.log