3

I've used ddev auth ssh to add my ssh identities to my DDEV-Local projects.

But when I use ssh to connect to an external host, ssh example.com I get "Too many authentication failures"

Received disconnect from 174.127.116.22 port 22:2: Too many authentication failures
Disconnected from 174.127.116.22 port 22

When I use ssh -v example.com I see it trying six different keys before giving up with the "Too many authentication failures":

debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: rfay@rfay-mbp-2017.local RSA SHA256:LrokWMbl1bD0vV0z7Qpn4HLd168NYSIAbqsek6aXIaE agent
debug1: Authentications that can continue: publickey
debug1: Offering public key: rfay@rfay-mbp-2017.local RSA SHA256:ecpRhfcaRWS8EfmYyLuJ81ayhyPWAZd9MG3mKOUKMqA agent
debug1: Authentications that can continue: publickey
debug1: Offering public key: rfay@rfay-mbp-2017.local RSA SHA256:07LrVlDSWu4r+4Eb6WP8FpWYYcREw7IcGm4rtp5v+Ws agent
debug1: Authentications that can continue: publickey
debug1: Offering public key: rfay@rfay-mbp-2017.local RSA SHA256:6L9cIsLlu858CPgb5zZ3v3+5p808uNencyAxJ0S9wOM agent
debug1: Authentications that can continue: publickey
debug1: Offering public key: rfay@rfay-mbp-2017.local RSA SHA256:HwksLkZqEXAK6Zo21+y/C508Mjx2I7EvUQWFScKHsAQ agent
debug1: Authentications that can continue: publickey
debug1: Offering public key: rfay@rfay-mbp-2017.local RSA SHA256:dsGaELF0OPNyQfIYZoEyI+dP3AQqh5r+15iUwfalNtc agent
Received disconnect from 174.127.116.75 port 22:2: Too many authentication failures
Disconnected from 174.127.116.75 port 22

How can I solve this problem? Note that I have 10 different private keys in my ~/.ssh directory.

rfay
  • 9,963
  • 1
  • 47
  • 89

2 Answers2

4

It seems ssh wasn't designed for use with loads and loads of private keys, but some people end up with lots of them anyway. (Note that you can use a single private key for many, many purposes; all you share with the world or an external service is the public key, which does not give away any information about the private key.)

Since ddev auth ssh is setting up an ssh agent for you, and there doesn't seem to be a way to make ssh choose a specific identity from among the identities provided by the agent, you'll need to use one of two workarounds.

Workaround #1: Use just a few keys

You could, of course, winnow down the number of keys in your ~/.ssh directory to 6 or fewer (6 is the default in sshd on the server side for MaxAuthTries). But let's assume you don't want to do that.

Create a directory, maybe ~/ddev-ssh-keys. In that directory, either copy or symlink the 6 keys you use most often. So cd ~/ddev-ssh-keys && for item in goodkey1 goodkey2 ... googdkey6; do ln -s ~/.ssh/$item; done (or any way you want to accomplish the linking or copying).

Now ddev auth ssh -d ~/ddev-ssh-keys and the ddev-ssh-agent will only have those 6 keys. If they're the right keys to solve most of your problems, you should be good with this approach.

Workaround #2: Copy keys into the container using .ddev/homeadditions

This workaround will let you actually copy the key(s) you want into the web container. This isn't probably as secure as the first approach (because you should never really copy your private keys anywhere), but it works.

If you really want the keys in the container (as opposed to using the agent), then mkdir -p .ddev/homeadditions/.ssh && cp ~/.ssh/<yourimportantkey(s)> .ddev/homeadditions/.ssh && chmod 700 .ddev/homeadditions/.ssh && chmod 600 .ddev/homeadditions/.ssh/*. You can then use the .ddev/homeadditions/.ssh/config file any way you want, including specifying keys.

This answer is adapted from https://github.com/drud/ddev/pull/2224

Community
  • 1
  • 1
rfay
  • 9,963
  • 1
  • 47
  • 89
1

This is an extension of rfay's Workaround #2, to make it more secure. You can use the public part of a key pair to specify which private key you want to use from the ssh agent. So, instead of copying your private keys into the .ddev/homeadditions/.ssh folder, just copy the pub keys. For example, mkdir -p .ddev/homeadditions/.ssh && cp ~/.ssh/*.pub .ddev/homeadditions/.ssh && chmod 700 .ddev/homeadditions/.ssh && chmod 600 .ddev/homeadditions/.ssh/*.

Technically, you don't even need to 'chmod 600' the key files since they're the pub keys, but it does add some security.

You can then specify the key to use on the command line:

ssh -i ~/.ssh/id_rsa.pub example@example.com

ssh -o IdentityFile=~/.ssh/id_rsa.pub example@example.com

Or you can specify the IdentityFile in your .ssh/config file.

JonathanW
  • 11
  • 2
  • Super nice, thanks! How do you make this work with a private composer repo or the like? – rfay Jan 29 '22 at 01:53
  • @rfay I'm sorry, I'm not understanding your question. – JonathanW Jan 30 '22 at 20:37
  • Thanks, yeah, you explained how to do it using ssh directly, but people will want to use it with other situation, like a composer private repo which uses ssh but doesn't expose it directly. – rfay Jan 31 '22 at 22:45