ssh_config: ignore pre-existing SSH keys on client (#14646)

sshd limits the number of authentication attempts permitted per established connection. The limit is set via the MaxAuthTries option and defaults to six attempts. Client SSH environments that define more than six SSH keys globally or in the agent would exhaust authentication attempts before they reach the algo-specified per-instance SSH private key. SSH client allows "forgetting" existing keys per connection using the IdentitiesOnly option. A client only offers an explicitly defined key when this option is set.
2025-04-04 16:29:57 +02:00 · 2023-09-27 08:15:35 -07:00 · 2023-09-27 08:15:35 -07:00 · fd6efb71f2
commit fd6efb71f2
parent a5b30cdbfe
2 changed files with 2 additions and 0 deletions
--- a/roles/ssh_tunneling/templates/ssh_config.j2
+++ b/roles/ssh_tunneling/templates/ssh_config.j2
@ -2,6 +2,7 @@ Host algo
  DynamicForward 127.0.0.1:1080
  LogLevel quiet
  Compression yes
+  IdentitiesOnly yes
  IdentityFile {{ item }}.ssh.pem
  User {{ item }}
  Hostname {{ IP_subject_alt_name }}
--- a/server.yml
+++ b/server.yml
@ -32,6 +32,7 @@
                    HostName {{ IP_subject_alt_name }}
                    User {{ ansible_ssh_user }}
                    Port {{ ansible_ssh_port }}
+                    IdentitiesOnly yes
                    IdentityFile {{ SSH_keys.private | realpath }}
                    KeepAlive yes
                    ServerAliveInterval 30