How do I configure SSH so it doesn't try all the identity files automatically?

110

I have been putting my ssh identity files inside my ~/.ssh/ folder. I have probably about 30 files in there.

When I connect to servers, I will specify the identity file to use with something like

ssh -i ~/.ssh/client1-identity client1@10.1.1.10

However, if I do not specify an identity file, and just use something like this:

ssh user123@example.com

I get the error

Too many authentication failures for user123

I understand that is because if no identity file is specified, and ssh can find identity files, then it will try all of them.

I also understand that I can edit the ~/.ssh/config file and specify something like:

Host example.com
PreferredAuthentications keyboard-interactive,password

in order to prevent that connection from trying known identity files.

So, I guess I could move my identity files outside of the ~/.ssh/ directory, or I could specify each host that I want to disable identity-file authentication for in the config file, but is there any way to tell SSH by default not to search for identity files? Or to specify the ones it will search for?

cwd

Posted 2011-04-09T17:01:40.840

Reputation: 13 508

4Re "I understand that is because..." - use ssh -v to find out for sure. – user1686 – 2011-04-09T19:19:26.380

Answers

110

You can use the IdentitiesOnly=yes option along with IdentityFile (see ssh_config man page). That way, you can specify which file(s) it should look for.

In this example, ssh will only look in the identities given in the ssh_config files + the 4 ones listed on the command line (the identities provided by the agent will be ignored):

ssh -o IdentitiesOnly=yes \
    -o IdentityFile=id1.key \
    -o IdentityFile=id2.key \
    -i id3.key \
    -i id4.key \
    user123@example.com

The forms -i and -o IdentityFile= are interchangeable.

user76528

Posted 2011-04-09T17:01:40.840

Reputation:

An example would be nice

– rubo77 – 2014-08-14T05:49:42.287

1Isn't it: IdentitiesOnly yes (without the "=")? – Dimitrios Mistriotis – 2016-12-28T10:18:20.270

3@DimitriosMistriotis According to the ssh_config man page, either is acceptable: Configuration options may be separated by whitespace or optional whitespace and exactly one '='; the latter format is useful to avoid the need to quote whitespace when specifying configuration options using the ssh, scp, and sftp -o option. – Nick Anderegg – 2016-12-31T19:30:18.227

IdentitiesOnly may not always work, you may have to exclude a host specifically; see https://superuser.com/questions/859661/how-can-i-force-ssh-to-ignore-the-identityfile-listed-in-host-for-one-specif – aexl – 2019-10-02T08:39:41.857

user76528's short answer is correct, but I just had this problem and thought some elaboration would be useful. You might also care about this solution if you've wondered "Why is ssh ignoring my identityfile configuration option"?

Firstly, unlike every other option in ssh_config, ssh does not use the first IdentityFile that it finds. Instead the IdentityFile option adds that file to a list of identities used. You may stack multiple IdentityFile options, and the ssh client will try them all until the server accepts one or rejects the connection.

Second, if you use an ssh-agent, ssh will automatically try to use the keys in the agent, even if you have not specified them with in ssh_config's IdentityFile (or -i) option. This is a common reason you might get the Too many authentication failures for user error. Using the IdentitiesOnly yes option will disable this behavior.

If you ssh as multiple users to multiple systems, I recommend putting IdentitiesOnly yes in your global section of ssh_config, and putting each IdentityFile within the appropriate Host subsections.

chrishiestand

Posted 2011-04-09T17:01:40.840

Reputation: 1 336

1Putting IdentitiesOnly yes in the global section of ssh_config is what did it for me. Thanks! – jamix – 2015-03-20T11:04:37.073

1Thank you for the detailed comment. I used to use ('' for newline) Host * \ IdentityFile ~/.ssh/mykey as a configuration option, and at first it seemed odd that having a different entry for a specific site, e.g. Host special \ IdentityFile ~/.ssh/specialkey \ IdentitiesOnly yes continued to supply mykey instead of specialkey. It certainly was unclear, until I realized (from your answer) that the IdentityFile entries are stacked in an order of evaluation and the last-defined one will be used. Removing IdentityFile ~/.ssh/mykey solved the issue, and the correct, single key was used. – Ryder – 2015-10-05T15:28:08.600

2Before I tried this, I noticed my git pull/push commands were trying every single identity loaded in my agent. It wasn't a problem till at one point I had too many keys. – sdkks – 2018-03-26T03:06:32.080

6nicely explained, thank you. It's not obvious that that parameter 'IdentitiesOnly' means TakeOnlyWhatIExplicitlySpecifyThenFailoverToPassword. And apparently, the ./ssh/id_rsa key is still listed. – lImbus – 2014-01-09T13:14:05.867

I generally do it like so:

$ ssh -o IdentitiesOnly=yes -F /dev/null -i ~/path/to/some_id_rsa root@server.mydom.com

The options are as follows:

-o IdentitiesOnly=yes - tells SSH to only use keys that are provided via the CLI and none from the $HOME/.ssh or via ssh-agent
-F /dev/null - disables the use of $HOME/.ssh/config
-i ~/path/to/some_id_rsa - the key that you explicitly want to use for the connection

Example

$ ssh -v -o IdentitiesOnly=yes -F /dev/null -i ~/my_id_rsa root@someserver.mydom.com
OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011
debug1: Reading configuration data /dev/null
debug1: Connecting to someserver.mydom.com [10.128.12.124] port 22.
debug1: Connection established.
debug1: identity file /Users/sammingolelli/my_id_rsa type 1
debug1: identity file /Users/sammingolelli/my_id_rsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.2
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH_5*
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA f5:60:30:71:8c:a3:da:a3:fe:b1:6d:0b:20:87:23:e1
debug1: Host 'someserver' is known and matches the RSA host key.
debug1: Found key in /Users/sammingolelli/.ssh/known_hosts:103
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/sammingolelli/my_id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 535
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).
Authenticated to someserver.mydom.com ([10.128.12.124]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
Last login: Tue Dec  8 19:03:24 2015 from 153.65.219.15
someserver$

Notice in the above output that ssh has only identified the my_id_rsa private key via the CLI and that it uses it to connect to someserver.

Specifically these sections:

debug1: identity file /Users/sammingolelli/my_id_rsa type 1
debug1: identity file /Users/sammingolelli/my_id_rsa-cert type -1

and:

debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/sammingolelli/my_id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 535
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).

slm

Posted 2011-04-09T17:01:40.840

Reputation: 7 449

1Thanks, this is the only complete solution. Apparently, -F /dev/null is the missing piece in the other answers. – leden – 2016-12-16T03:36:29.363

In the scenario where you have many keys, you will invariably run into the "Too many Authentication Failures" error. If you have a password, and want to simply use the password to login, here is how you do it.

To use ONLY password authentication and NOT use Public-key, and NOT use the somewhat misleading "keyboard-interactive" (which is a superset including password), you can do this from the command line:

ssh -o PreferredAuthentications=password user@example.com

Greg Rundlett

Posted 2011-04-09T17:01:40.840

Reputation: 309

Use IdentityFile but Keep Using ssh-agent to Avoid Passphrase Reprompts

The accepted solution of using IdentitiesOnly yes means you'll never be able to take advantage of ssh-agent, resulting in repeated prompts for your passphrase when loading your key.

To keep using ssh-agent and avoid the 'Too many authentication failures' errors, try this:

Remove any interactive console startup scripts that automatically load keys into ssh-agent.
add AddKeysToAgent yes to your client's ssh config. This will prompt you for the passphrase on first connect, but then add the key to your agent.
use ssh-add -D when you get 'too many authentication' errors. This simply 'resets' (deletes) your ssh-agent cache. Then attempt the connection again within the same session. You will be prompted for a passphrase, and once accepted, it will be added to your agent. Since you'll have only one key in your agent, you will be allowed to connect. ssh-agent is then still there for future connections during the same session to avoid reprompts.
```
Host ex example.com
   User joe
   HostName example.com
   PreferredAuthentications publickey,password
   IdentityFile /path/to/id_rsa
   AddKeysToAgent yes
```

AndrewD

Posted 2011-04-09T17:01:40.840

Reputation: 363

Will at accept keys added to keychain? – vfclists – 2017-09-19T13:00:46.580

The ssh client and the ssh-agent is communicating through a Unix domain socket whose name is specified to the client by the SSH_AUTH_SOCK environment variable (set by the agent upon its startup).

Thus, to prevent a single invocation of the client from querying the agent this variable can be set explicitly to something invalid, like an empty string;

$ SSH_AUTH_SOCK= ssh user@server

A client invocation like this will fail communicating with the agent and only be able to offer the identities available as files in ~/.ssh/, or any specified on the command line using -i, to the server.

debug1: pubkey_prepare: ssh_get_authentication_socket: Connection refused

mikini

Posted 2011-04-09T17:01:40.840

Reputation: 41

This is a great answer. It's simple and works when you're using commands that use SSH "under the hood", like git. A pity I can't upvote it more. – rsuarez – 2019-08-07T15:10:59.567

add this at the end of ~/.ssh/config file to prevent use keys for non config servers:

Host *
IdentitiesOnly=yes

Maxim Akristiniy

Posted 2011-04-09T17:01:40.840

Reputation: 131

You had the answer all along (almost):

Host *
PreferredAuthentications keyboard-interactive,password

Worked for me.

Henry Grebler

Posted 2011-04-09T17:01:40.840

Reputation: 77

8The question asked about how to limit which public keys are used. This answer disables public key authentication entirely. – chrishiestand – 2012-06-12T22:11:50.957

2I +1'd because it was the answer I was googling for, thanks @Henry Grebler – matiu – 2012-07-24T06:19:00.200