Try more than the default # of keys (6) for method publickey.

Barry Allard avatarBarry Allard created an issue

The use case is pretty simple: pushing code to a bitbucket repo on a remote system without exposing an encrypted private key, stored locally (usually a laptop), loaded via ssh agent. Well aware of another ssh agent issue, this has been tested and is not related.

This works with bitbucket with a small number of keys, but it is inadequate for enterprise environments where there are likely more than 6 keys.


* This can be increased by a simple packaged rebuild of ssh bumping AUTH_FAIL_MAX to a reasonable number (i.e., 12). There is a theoretical reduction of complexity for attacking SSH, but it's assumed there are standard measures in place to detect and block malicious bots hammering the service (meta: practicality vs. unusable security tradeoff).

Also required: /etc/ssh/sshd_config:
MaxAuthTries 12 # with modified AUTH_FAIL_MAX

Comments (2)

  1. Charles McLaughlin

    Hi Barry,

    Again, thanks for the suggestion. My suggestion in #3363 applies to this issue as well. You can manage multiple keys on the client side. Point taken that this isn't ideal for large enterprise environments. We hope to make some improvements in that area in the coming year.

    Regards,

    Charles

  2. Log in to comment
Tip: Filter by directory path e.g. /media app.js to search for public/media/app.js.
Tip: Use camelCasing e.g. ProjME to search for ProjectModifiedEvent.java.
Tip: Filter by extension type e.g. /repo .js to search for all .js files in the /repo directory.
Tip: Separate your search with spaces e.g. /ssh pom.xml to search for src/ssh/pom.xml.
Tip: Use ↑ and ↓ arrow keys to navigate and return to view the file.
Tip: You can also navigate files with Ctrl+j (next) and Ctrl+k (previous) and view the file with Ctrl+o.
Tip: You can also navigate files with Alt+j (next) and Alt+k (previous) and view the file with Alt+o.