Managing large amount of SSH keys

Having larger amount of SSH keys can cause a problem when you connect just via ssh hostname. This is because of MaxAuthTries configuration in /etc/ssh/sshd_config and the fact that your client is trying to authenticate with all possible keys stored in ~/.ssh.

When server you want to connect to receives more than MaxAuthTries (default = 6), it falls back to regular password authentication. To prevent this, you can specify which key to use for what server in two ways.

As cmd option:
ssh -i ~/.ssh/id_rsa user@hostname

By specifying Host/IdentityFile pair in ~/.ssh/config:
Host hostname
IdentityFile /home/USER/.ssh/id_rsa

Host hostname2
IdentityFile /home/USER/.ssh/id_rsa2

Of course you can also increase MaxAuthTries value on the SSH server(s) in /etc/ssh/sshd_config, but this is not recommended!

This automatic mechanism is also annoying when using password authentication. To force the ssh client to use password only and not to use keys, use PreferredAuthentications option:

ssh -o PreferredAuthentications=password hostname

(This post is just an extended answer from http://serverfault.com/questions/36291/how-to-recover-from-too-many-authentication-failures-for-user-root/256083#256083 )

No comments:

Post a Comment