Bug 790921 – gnome-keyring breaks SSH when there are too many SSH keys

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 790921 - gnome-keyring breaks SSH when there are too many SSH keys


Summary:	gnome-keyring breaks SSH when there are too many SSH keys


Status:	RESOLVED OBSOLETE

Product:	gnome-keyring
Classification:	Core
Component:	ssh-agent
Version:	3.20.x
Hardware:	Other Linux

Importance:	Normal normal
Target Milestone:	---
Assigned To:	GNOME keyring maintainer(s)
QA Contact:	GNOME keyring maintainer(s)

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2017-11-27 21:23 UTC by Ralf
Modified:	2021-06-18 10:39 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description Ralf 2017-11-27 21:23:05 UTC

Steps to reproduce:

* Have 6 passwordless public-private key pairs in ~/.ssh
* Try to connect to a standard SSH server (pretty much default configuration) for which you only have a password.

Expected behavior:

It should be possible to connect.  Connecting works fine when using the native ssh-agent.

Actual behavior:

When running Gnome, connecting to the server fails.  Running "ssh -vv" shows that the client tries all my SSH keys before even asking me for a password, which leads to the server responding "Too many authentication failures":

> $ sftp -vv ...
> OpenSSH_7.6p1 Debian-2, OpenSSL 1.0.2m  2 Nov 2017
> debug1: Reading configuration data /home/r/.ssh/config
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: /etc/ssh/ssh_config line 19: Applying options for *
> debug2: resolving XXX
> debug2: ssh_connect_direct: needpriv 0
> debug1: Connecting to XXX.
> debug1: Connection established.
[snip]
> debug2: service_accept: ssh-userauth
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug1: Authentications that can continue: publickey,password
> debug1: Next authentication method: publickey
> debug1: Offering public key: XXXX
> debug2: we sent a publickey packet, wait for reply
> debug1: Authentications that can continue: publickey,password
> debug1: Offering public key: XXXX
> debug2: we sent a publickey packet, wait for reply
> debug1: Authentications that can continue: publickey,password
> debug1: Offering public key: XXXX
> debug2: we sent a publickey packet, wait for reply
> debug1: Authentications that can continue: publickey,password
> debug1: Offering public key: XXXX
> debug2: we sent a publickey packet, wait for reply
> debug1: Authentications that can continue: publickey,password
> debug1: Offering public key: XXXX
> debug2: we sent a publickey packet, wait for reply
> debug1: Authentications that can continue: publickey,password
> debug1: Offering public key: XXXX
> debug2: we sent a publickey packet, wait for reply
> Received disconnect from XXX: Too many authentication failures
> Disconnected from XXX
> Connection closed

Adding `-o PreferredAuthentications=password` fixes the problem, but that really should not be necessary -- and it is pretty hard to find out.

Comment 1 André Klapper 2021-06-18 10:39:38 UTC

GNOME is going to shut down bugzilla.gnome.org in favor of gitlab.gnome.org.
As part of that, we are mass-closing older open tickets in bugzilla.gnome.org
which have not seen updates for a longer time (resources are unfortunately
quite limited so not every ticket can get handled).

If you can still reproduce the situation described in this ticket in a recent
and supported software version, then please follow
  https://wiki.gnome.org/GettingInTouch/BugReportingGuidelines
and create a new ticket at
  https://gitlab.gnome.org/GNOME/gnome-keyring/-/issues/

Thank you for your understanding and your help.