Details
-
Suggestion
-
Resolution: Won't Fix
Description
The use case is pretty simple: pushing code to a bitbucket repo on a remote system without exposing an encrypted private key, stored locally (usually a laptop), loaded via ssh agent. Well aware of another ssh agent issue, this has been tested and is not related.
This works with bitbucket with a small number of keys, but it is inadequate for enterprise environments where there are likely more than 6 keys.
* This can be increased by a simple packaged rebuild of ssh bumping AUTH_FAIL_MAX to a reasonable number (i.e., 12). There is a theoretical reduction of complexity for attacking SSH, but it's assumed there are standard measures in place to detect and block malicious bots hammering the service (meta: practicality vs. unusable security tradeoff).
Also required:
/etc/ssh/sshd_config: \\\
MaxAuthTries 12 # with modified AUTH_FAIL_MAX