flux2 icon indicating copy to clipboard operation
flux2 copied to clipboard

Published 20 hours ago verified publisher icon fluxcd

Bootstrap with multiple SSH-Keys loaded result in "Too many authentication failures"

Open salzig opened this issue 3 years ago • 2 comments

Describe the bug

Boostraping flux2 using an ssh-agent with multiple keys loaded (ssh-add -l |wc -l > 6, 24 keys for me) results in "Too many authentication failures" as the agent tries all keys while connecting to the target machine. My .ssh/config is setup to use the right key (IdentidiesOnly=yes, IdentityFile=""), but flux doens't seem to acknoledge that (also not the Port, had to specify that too).

Workaround:

i managed to bootstrap by unloading all ssh-agent keys (ssh-add -D) and reaadding the specifc key to use (ssh-add $path) before running the bootstrap command.

To Reproduce

Run a git server, like Gitea, on git.example.org with an nonstandard ssh port at 7717 and have 7 or more keys loaded by your ssh-agent.

flux bootstrap git --url ssh://[email protected]:7717/infra/cluster.git --branch main 
► cloning branch "main" from Git repository "ssh://[email protected]:7717/infra/cluster.git"
✗ failed to clone repository: ssh: handshake failed: ssh: disconnect, reason 2: Too many authentication failures

Expected behavior

I expected that flux usage of the ssh-agent would follow my configuration (~/.ssh/config), or at least give me an option to specify which identity to use. Providing --private-key-file doesn't help either, as the key is passphrase protected.

Additional context

  • Kubernetes version: - not relevant - error happens before
  • Git provider: gitea on nonstandard ssh port
  • Container registry provider: any public registry

Below please provide the output of the following commands:

$ flux --version
flux version 0.13.4
$ flux check --pre
► checking prerequisites
✔ kubectl 1.18.2 >=1.18.0-0
✔ Kubernetes 1.20.4+k3s1 >=1.16.0-0
✔ prerequisites checks passed

edit: change the minimal (per default) number of keys to be loaded by the ssh-agent to trigger this error. Thx @gladiatr72 for research.

salzig avatar May 17 '21 13:05 salzig

When using a git repo source that you control (server-side), MaxAuthTries is the OpenSSH sshd server option that controls that threshold. I just checked the defaults included with the lastest version (8.6)--defaults to 6.

gladiatr72 avatar May 17 '21 20:05 gladiatr72

This is a problem for us too - our users have many SSH keys and we cannot control the number auth retries that hosting providers allow.

We generally have users configure SSH keys via ~/.ssh/config Host mappings, however this does not appear to be honored by flux for the bootstrap process (obviously not a problem in-cluster once deploy keys are applied).

pdf avatar Jul 13 '22 09:07 pdf