I've used ddev auth ssh
to add my ssh identities to my DDEV-Local projects.
But when I use ssh to connect to an external host, ssh example.com
I get "Too many authentication failures"
Received disconnect from 174.127.116.22 port 22:2: Too many authentication failures
Disconnected from 174.127.116.22 port 22
When I use ssh -v example.com
I see it trying six different keys before giving up with the "Too many authentication failures":
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: rfay@rfay-mbp-2017.local RSA SHA256:LrokWMbl1bD0vV0z7Qpn4HLd168NYSIAbqsek6aXIaE agent
debug1: Authentications that can continue: publickey
debug1: Offering public key: rfay@rfay-mbp-2017.local RSA SHA256:ecpRhfcaRWS8EfmYyLuJ81ayhyPWAZd9MG3mKOUKMqA agent
debug1: Authentications that can continue: publickey
debug1: Offering public key: rfay@rfay-mbp-2017.local RSA SHA256:07LrVlDSWu4r+4Eb6WP8FpWYYcREw7IcGm4rtp5v+Ws agent
debug1: Authentications that can continue: publickey
debug1: Offering public key: rfay@rfay-mbp-2017.local RSA SHA256:6L9cIsLlu858CPgb5zZ3v3+5p808uNencyAxJ0S9wOM agent
debug1: Authentications that can continue: publickey
debug1: Offering public key: rfay@rfay-mbp-2017.local RSA SHA256:HwksLkZqEXAK6Zo21+y/C508Mjx2I7EvUQWFScKHsAQ agent
debug1: Authentications that can continue: publickey
debug1: Offering public key: rfay@rfay-mbp-2017.local RSA SHA256:dsGaELF0OPNyQfIYZoEyI+dP3AQqh5r+15iUwfalNtc agent
Received disconnect from 174.127.116.75 port 22:2: Too many authentication failures
Disconnected from 174.127.116.75 port 22
How can I solve this problem? Note that I have 10 different private keys in my ~/.ssh directory.
It seems ssh wasn't designed for use with loads and loads of private keys, but some people end up with lots of them anyway. (Note that you can use a single private key for many, many purposes; all you share with the world or an external service is the public key, which does not give away any information about the private key.)
Pass individual keys to ddev auth ssh
with:
ddev auth ssh -f ~/.ssh/id_ed25519 -f ~/.ssh/id_rsa
Previous techniques:
Since ddev auth ssh
is setting up an ssh agent for you, and there doesn't seem to be a way to make ssh choose a specific identity from among the identities provided by the agent, you'll need to use one of two workarounds.
You could, of course, winnow down the number of keys in your ~/.ssh directory to 6 or fewer (6 is the default in sshd on the server side for MaxAuthTries
). But let's assume you don't want to do that.
Create a directory, maybe ~/ddev-ssh-keys
. In that directory, either copy or symlink the 6 keys you use most often. So cd ~/ddev-ssh-keys && for item in goodkey1 goodkey2 ... googdkey6; do ln -s ~/.ssh/$item; done
(or any way you want to accomplish the linking or copying).
Now ddev auth ssh -d ~/ddev-ssh-keys
and the ddev-ssh-agent will only have those 6 keys. If they're the right keys to solve most of your problems, you should be good with this approach.
This workaround will let you actually copy the key(s) you want into the web container. This isn't probably as secure as the first approach (because you should never really copy your private keys anywhere), but it works.
If you really want the keys in the container (as opposed to using the agent), then mkdir -p .ddev/homeadditions/.ssh && cp ~/.ssh/<yourimportantkey(s)> .ddev/homeadditions/.ssh && chmod 700 .ddev/homeadditions/.ssh && chmod 600 .ddev/homeadditions/.ssh/*
. You can then use the .ddev/homeadditions/.ssh/config file any way you want, including specifying keys.