-
Notifications
You must be signed in to change notification settings - Fork 149
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: increase number of public key attempts before failing ssh #3739
base: main
Are you sure you want to change the base?
Conversation
Can you make it configurable? That way if someone comes around later asking for 19, or 32 retries, they can adjust a chart value? Edit: Use |
Rather than hacking around a client limitation in the server, can we add support for parsing the config file to lagoon-cli? edit: even simpler would be to add an Some problems I see with the change in this PR:
|
This would be easy enough to do |
IMHO it's the other way around, the server is limited and the previous "hack" was to set an We've already had complaints from other users about this error, our response was "learn how to use SSH config." With that solution now gone (and let's be honest, now that I'm personally impacted), this very minor fix went to the top of my list.
I addressed this in the OP. The cli has this option, but every command requires that you enter your password because it's no longer using the ssh-agent. It's the worst of all options.
Maybe? I looked at some solutions, there were a lot of questions about getting hostname globbing working correctly for example. While that's getting worked out, I can't SSH into environments until I reboot my computer enough times to get a order in ssh-agent that works.
Source? I noticed no difference, maybe it delays by 10's of milliseconds? And it only slows down for users that have lots of keys. This SO answer suggest that the expensive part is the initial connection, and each "auth try" is cheap.
This PR is to add support for more than 6 ssh keys, maybe I'm misunderstanding this comment? @smlx would your concerns would be mitigated by a configurable |
What I meant is that in your lagoons:
test:
identityfiles:
- ~/.ssh/id_ed25519_lagoon1.pub
- ~/.ssh/id_ed25519_lagoon2.pub And then, just like |
How do tell the agent library in go to use a specific key in the agent? I couldn't find anything that described this clearly? Edit: the CLI already has a flag to specify a key to use, but atm this is a forced bypass of the agent. So if the key is encrypted it will prompt a password. But if there is a way to pass this to the client to use when the agent is present, that would be a simple fix in the CLI. Edit2: I think I see how it could work. Yep, I have a POC that can do this |
I'm all for also improving the cli experience, created an issue to discuss those details separately uselagoon/lagoon-cli#354. |
Is this now addressed by uselagoon/lagoon-cli#355? |
General Checklist
Problem
When using
lagoon-cli
to SSH or login, an error is returned:error: maximum authentication attempts exceeded
.Solution
Increase the
MaxAuthTries
of the SSH server. I arbitrarily multiplied the default by three.Background
lagoon-cli
will iterate over all of the keys in the system ssh-agent, but the order of the keys is non-deterministic. In the case where a user has more than six SSH keys, it's possible that the correct one is at the end of the list and the max auth attempts is exceeded.Now that
lagoon-cli
andlagoon-sync
have integrated SSH go libraries, they no longer call out to the system ssh binary. The side effect is that ssh client config files are no longer used. Previously, a user could set theIdentityFile
in their~/.ssh/config
and avoid this problem.The
lagoon-cli
can be configured with a specific ssh key (either in~/.lagoon.yml
or by passing-i
) but then the user will be asked to enter their password for every command.