You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi, when using password authentication as follows (cleartext password, this is intentional):
from fabric import Connection
Connection(host='192.168.x.y', user='me', port=22, connect_kwargs={'password':'passwd'}).run('hostname')
Fabric (or Paramiko?) apparently tries the identities held by my SSH agent first, which are a number of SSH keys for other servers than 192.168.x.y, so none of them work:
I know that Fabric tries the identities represented by the agent first, before the provided password, because dialog boxes appear one after the other asking for the passphrases to unlock my SSH keys before password authentication is attempted, and because disabling the agent with 'allow_agent':False in the connect_kwargs argument makes Fabric not ask for passphrases and proceed directly to password authentication.
This behavior is consistent with how OpenSSH's ssh command work, but it is not consistent with the following configuration I have in my ~/.ssh/config file:
# Code repositories
Host gitlab.com
IdentityFile ~/.ssh/id_ed25519_gitlab
Host github.com
IdentityFile ~/.ssh/id_ed25519_github
[more repositories]
# Personal computers
Host machine1
Hostname machine1.mydomain.tld
Host machine2
Hostname machine2.mydomain.tld
[more machines]
Match host *.mydomain.tld
User myusername
# Only use the configured authentication identity files, even if ssh-agent
# offers more identities - see https://serverfault.com/questions/139870
Host *
IdentitiesOnly yes
With IdentitiesOnly yes, I am explicitly requesting that the agent is not used, except for the hosts for which I have configured identity files. This is because I often have more than six SSH keys, which result in connections being refused because of too many authentication attempts if they are all tried, as explained in the ServerFault post.
OpenSSH's ssh command complies: running ssh -v me@192.168.x.y shows that none of my SSH key is involved and I am directly asked for the password.
I was expecting Fabric/Paramiko to behave the same and honor IdentitiesOnly yes. So it was surprising to be asked for the passphrase for my GitHub SSH key when attempting to connect to a server in my local network...
Could Fabric consider honoring this parameter? Should I provide it differently? Is this something I should report to Paramiko instead?
Note 1: Tested in a venv on Ubuntu 20.04 with Python 3.12.2, Fabric 3.2.2, and Paramiko 3.4.0
Note 2: I don't start any SSH agent myself, nor do I explicitly load keys into it. My understanding is that an agent is started automatically when I log into my desktop session (GNOME), and that the identities configured in my ~/.ssh/config file are loaded into that agent.
The text was updated successfully, but these errors were encountered:
Going to just talk out loud about how this would work:
When a Connection object is created, a paramiko client underlying it is also created; this client can use the config object as well as agent object.
We can trivially empty the agent_keys here, but I think we may be more concerned with the idea instead of changing the parsing of the config object underlying all this, and using that to drive whether agent keys are accepted.
Hi, when using password authentication as follows (cleartext password, this is intentional):
Fabric (or Paramiko?) apparently tries the identities held by my SSH agent first, which are a number of SSH keys for other servers than 192.168.x.y, so none of them work:
I know that Fabric tries the identities represented by the agent first, before the provided password, because dialog boxes appear one after the other asking for the passphrases to unlock my SSH keys before password authentication is attempted, and because disabling the agent with
'allow_agent':False
in theconnect_kwargs
argument makes Fabric not ask for passphrases and proceed directly to password authentication.This behavior is consistent with how OpenSSH's
ssh
command work, but it is not consistent with the following configuration I have in my~/.ssh/config
file:With
IdentitiesOnly yes
, I am explicitly requesting that the agent is not used, except for the hosts for which I have configured identity files. This is because I often have more than six SSH keys, which result in connections being refused because of too many authentication attempts if they are all tried, as explained in the ServerFault post.OpenSSH's
ssh
command complies: runningssh -v me@192.168.x.y
shows that none of my SSH key is involved and I am directly asked for the password.I was expecting Fabric/Paramiko to behave the same and honor
IdentitiesOnly yes
. So it was surprising to be asked for the passphrase for my GitHub SSH key when attempting to connect to a server in my local network...Could Fabric consider honoring this parameter? Should I provide it differently? Is this something I should report to Paramiko instead?
Note 1: Tested in a venv on Ubuntu 20.04 with Python 3.12.2, Fabric 3.2.2, and Paramiko 3.4.0
Note 2: I don't start any SSH agent myself, nor do I explicitly load keys into it. My understanding is that an agent is started automatically when I log into my desktop session (GNOME), and that the identities configured in my
~/.ssh/config
file are loaded into that agent.The text was updated successfully, but these errors were encountered: