Try more than the default # of keys (6) for method publickey.

Issue #3361 wontfix
Barry Allard created an issue

The use case is pretty simple: pushing code to a bitbucket repo on a remote system without exposing an encrypted private key, stored locally (usually a laptop), loaded via ssh agent. Well aware of another ssh agent issue, this has been tested and is not related.

This works with bitbucket with a small number of keys, but it is inadequate for enterprise environments where there are likely more than 6 keys.

\* This can be increased by a simple packaged rebuild of ssh bumping AUTH_FAIL_MAX to a reasonable number (i.e., 12). There is a theoretical reduction of complexity for attacking SSH, but it's assumed there are standard measures in place to detect and block malicious bots hammering the service (meta: practicality vs. unusable security tradeoff).

Also required: /etc/ssh/sshd_config: \ MaxAuthTries 12 # with modified AUTH_FAIL_MAX

Comments (2)

  1. Charles McLaughlin

    Hi Barry,

    Again, thanks for the suggestion. My suggestion in #3363 applies to this issue as well. You can manage multiple keys on the client side. Point taken that this isn't ideal for large enterprise environments. We hope to make some improvements in that area in the coming year.



  2. Log in to comment