Bug 195554

Summary: ssh tries an explicit key _after_ key agent keys
Product: Base System Reporter: Andriy Gapon <avg>
Component: binAssignee: Dag-Erling Smørgrav <des>
Status: Closed Not Accepted    
Severity: Affects Only Me CC: des
Priority: ---    
Version: CURRENT   
Hardware: Any   
OS: Any   

Description Andriy Gapon freebsd_committer freebsd_triage 2014-12-01 12:47:30 UTC 
I wonder if the way ssh behaves is sane in the following situation.

I have ssh-agent running and there is a number of keys added to it.
Then I run ssh -i foo bar and what I see is that ssh first tries the keys from the agent rather than foo.
But in this case I get "Too many authentication failures" before the explicit key is even tried.
if I unset SSH_AGENT_PID and SSH_AUTH_SOCK then everything is okay, obviously.

Redacted output of ssh -vv:
debug2: key: /home/avg/.ssh/id_dsa (0x8038163c0),
debug2: key: /home/avg/.ssh/id_dsa_xxx (0x803816440),
debug2: key: /home/avg/.ssh/id_dsa_yyy (0x8038164c0),
debug2: key: /home/avg/.ssh/zzz (0x803816540),
debug2: key: /home/avg/.ssh/vvv (0x8038165c0),
debug2: key: /home/avg/.ssh/www (0x803816640),
debug2: key: /usr/local/lib/ruby/gems/2.0/gems/vagrant-1.6.5/keys/vagrant (0x803816100), explicit
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: publickey
debug1: Offering DSA public key: /home/avg/.ssh/id_dsa
...
debug1: Offering RSA public key: /home/avg/.ssh/www
debug2: we sent a publickey packet, wait for reply
Received disconnect from x.x.x.x: 2: Too many authentication failures for avg
Comment 1 Dag-Erling Smørgrav freebsd_committer freebsd_triage 2015-12-17 19:40:11 UTC 
I suggest raising this issue with the OpenSSH developers, after verifying that it still applies to the latest version (available from ports).