49

Like most sysadmins I use openssh all the time. I have about a dozen ssh keys, I like to have a different ssh key for each host. However this causes a problem when I am connecting to a host for the first time, and all I have is a password. I want to just connect to the host using a password, no ssh key in this case. However the ssh client will offer all the public keys in my ~/.ssh/ (I know this from looking at the output of ssh -v). Since I have so many, I will get disconnected for too many authentication failures.

Is there some way to tell my ssh client to not offer all the ssh keys?

Amandasaurus
  • 30,211
  • 62
  • 184
  • 246

5 Answers5

52

Although others have hinted at this with configuration-based solutions, it's probably worth pointing out that you can easily do this one-time-only on the command line with:

ssh -o 'PubkeyAuthentication no' myhostname.mydomain
Andrew Ferrier
  • 864
  • 9
  • 21
48

This is expected behaviour according to the man page of ssh_config:

 IdentityFile
         Specifies a file from which the user's DSA, ECDSA or DSA authentica‐
         tion identity is read.  The default is ~/.ssh/identity for protocol
         version 1, and ~/.ssh/id_dsa, ~/.ssh/id_ecdsa and ~/.ssh/id_rsa for
         protocol version 2.  Additionally, any identities represented by the
         authentication agent will be used for authentication.  

         [...]

         It is possible to have multiple identity files specified in configu‐
         ration files; all these identities will be tried in sequence.  Mul‐
         tiple IdentityFile directives will add to the list of identities
         tried (this behaviour differs from that of other configuration
         directives).

Basically, specifying IdentityFiles just adds keys to a current list the SSH agent already presented to the client.

Try overriding this behaviour with this at the bottom of your .ssh/config file:

Host *
  IdentitiesOnly yes

You can also override this setting on the host level, e.g.:

Host foo
  User bar
  IdentityFile /path/to/key
  IdentitiesOnly yes
Mathias Bynens
  • 696
  • 1
  • 10
  • 15
  • 9
    You can also use `ssh -o "IdentitiesOnly true" -v -A user@host` which is what I use to login to a machine which has none of my keys but I want to offer agent-forwarding to go on. (`-v` for verbose debugging). – eckes Mar 21 '17 at 18:40
  • 2
    @eckes that's a nice tip, but shouldn't it be `yes` (and not `true`) though? – mehov Oct 01 '19 at 13:46
  • 2
    `IdentitiesOnly` may not always help, you may have to exclude a host specifically; see https://superuser.com/questions/859661/how-can-i-force-ssh-to-ignore-the-identityfile-listed-in-host-for-one-specif – mehov Oct 02 '19 at 08:37
13

Following James Sneeringer's solution, you might just want to set an ssh_config along the lines of:

Host *.mycompany.com
  IdentityFile .ssh/id_dsa_mycompany_main

Host *.mycustomer.com
  IdentityFile .ssh/id_dsa_mycustomer

Host *
  RSAAuthentication no #this should be up top, avoid ssh1 at all costs
  PubkeyAuthentication no

If you connect with a particular key to many machines not in a common domain, consider giving them all CNAMEs in your own DNS. I do this with all customer systems.

Justin Alan Ryan
  • 321
  • 1
  • 3
2

Similar to user23413's solution, you can disable public key authentication altogether for a particular host (or wildcard pattern):

Host *.example.org
RSAAuthentication no        # SSHv1
PubkeyAuthentication no     # SSHv2
James Sneeringer
  • 6,755
  • 23
  • 27
-1

If you point to a particular key file with ssh -i /path/to/key it'll only use that one even if others are loaded into the agent, and you won't be prompted for the password. You can also edit you ~/.ssh/config and ad something like this...

Host foo.example.com
IdentityFile .ssh/id_rsa_foo.example.com

you can also do...

Host *.example.org
IdentityFile .ssh/id_rsa_example.org

ryanc
  • 129
  • 2
  • That just adds to the target key to the end of the list, which won't solve the problem. `IdentitiesOnly` only with that will. – Jo Rhett Oct 16 '18 at 17:49