From ffee12c784f3bd975eaead6fe36ed8377aa11fb7 Mon Sep 17 00:00:00 2001
From: Dima Scherbakov <dimas@dimas.dev>
Date: Sat, 26 Aug 2023 19:42:27 +0200
Subject: [PATCH] ssh_config: ignore pre-existing SSH keys on client

sshd limits the number of authentication attempts permitted per
established connection.
The limit is set via the MaxAuthTries option and defaults to six
attempts.

Client SSH environments that define more than six SSH keys globally or
in the agent would exhaust authentication attempts before they reach the
algo-specified per-instance SSH private key.

SSH client allows "forgetting" existing keys per connection using the
IdentitiesOnly option.
A client only offers an explicitly defined key when this option is set.
---
 roles/ssh_tunneling/templates/ssh_config.j2 | 1 +
 server.yml                                  | 1 +
 2 files changed, 2 insertions(+)

diff --git a/roles/ssh_tunneling/templates/ssh_config.j2 b/roles/ssh_tunneling/templates/ssh_config.j2
index 04931fc..54600b1 100644
--- a/roles/ssh_tunneling/templates/ssh_config.j2
+++ b/roles/ssh_tunneling/templates/ssh_config.j2
@@ -2,6 +2,7 @@ Host algo
   DynamicForward 127.0.0.1:1080
   LogLevel quiet
   Compression yes
+  IdentitiesOnly yes
   IdentityFile {{ item }}.ssh.pem
   User {{ item }}
   Hostname {{ IP_subject_alt_name }}
diff --git a/server.yml b/server.yml
index 18af459..d1828ea 100644
--- a/server.yml
+++ b/server.yml
@@ -32,6 +32,7 @@
                     HostName {{ IP_subject_alt_name }}
                     User {{ ansible_ssh_user }}
                     Port {{ ansible_ssh_port }}
+                    IdentitiesOnly yes
                     IdentityFile {{ SSH_keys.private | realpath }}
                     KeepAlive yes
                     ServerAliveInterval 30