Currently: 'conq: repository access denied.' occurs when a public key is invalid for this repo but valid for another account when loaded before the public key desired. This is very painful for users managing multiple projects.
This happens because authentication succeeds 'debug1: Authentication succeeded (publickey).' means that ssh will accept whatever key is there blindly and passes off complete responsibility for authorization to conq. This, unfortunately, leads to fucking the customer.
This setup subtly prevents ssh from retrying normally because authentication has already succeeded.
The most effective solution would be to modify OpenSSH (very carefully, within the realm of possibility) to check for a specific exit value to indicated authorization failure from the restricted environment (shell replacement). This averts heavy, high-maintenance customization of OpenSSH when the existing 'conq' script has already been proven to implement the specific authorization necessary. Simply return the authorization failure exit code in conq for 'repository access denied, and OpenSSH would then retry the next method/key available.
Proposed /etc/ssh/sshd_config: \ ScriptedAuthorization yes \ ScriptedAuthorizationFailsOnExitCode 120 # The restricted environment (shell replacement) must return this value (i.e., 120) to signify authorization failure, auth will be retried with the next available key/method.