-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Feature request] Fabric does not appear to honor "IdentitiesOnly yes" in my ~/.ssh/config file #2300
Comments
Associated file is Note: # TODO: set agent_keys to empty list if IdentitiesOnly is true
agent_keys = self.agent.get_keys() I will see what can be done to add this, unclear if anyone has an PR yet out on it, I'll go have a look. |
No-one yet has written anything. I can write one. |
Going to just talk out loud about how this would work: When a We can trivially empty the |
Hi, when using password authentication as follows (cleartext password, this is intentional):
Fabric (or Paramiko?) apparently tries the identities held by my SSH agent first, which are a number of SSH keys for other servers than 192.168.x.y, so none of them work:
I know that Fabric tries the identities represented by the agent first, before the provided password, because dialog boxes appear one after the other asking for the passphrases to unlock my SSH keys before password authentication is attempted, and because disabling the agent with
'allow_agent':False
in theconnect_kwargs
argument makes Fabric not ask for passphrases and proceed directly to password authentication.This behavior is consistent with how OpenSSH's
ssh
command work, but it is not consistent with the following configuration I have in my~/.ssh/config
file:With
IdentitiesOnly yes
, I am explicitly requesting that the agent is not used, except for the hosts for which I have configured identity files. This is because I often have more than six SSH keys, which result in connections being refused because of too many authentication attempts if they are all tried, as explained in the ServerFault post.OpenSSH's
ssh
command complies: runningssh -v [email protected]
shows that none of my SSH key is involved and I am directly asked for the password.I was expecting Fabric/Paramiko to behave the same and honor
IdentitiesOnly yes
. So it was surprising to be asked for the passphrase for my GitHub SSH key when attempting to connect to a server in my local network...Could Fabric consider honoring this parameter? Should I provide it differently? Is this something I should report to Paramiko instead?
Note 1: Tested in a venv on Ubuntu 20.04 with Python 3.12.2, Fabric 3.2.2, and Paramiko 3.4.0
Note 2: I don't start any SSH agent myself, nor do I explicitly load keys into it. My understanding is that an agent is started automatically when I log into my desktop session (GNOME), and that the identities configured in my
~/.ssh/config
file are loaded into that agent.The text was updated successfully, but these errors were encountered: