Lars Noodin wrote: > It seems that ssh-add, ssh-agent or sshd start letting any key in when > authorized_keys contains an overwhelming number of keys. > > I made three sets of rsa keys, 768 bits, 1024 bits and 2048 bits, each > with over 90000 rsa keys a piece. On the client, I start ssh-agent and > load a key using ssh-add. This lets me log in using that specific key > as normal, and not with others with small numbers of keys. > > I'm not sure what number of keys makes the overload. > On the set up I have with current, 90001 keys and fewer in > authorized_keys gives expected behavior. However, when I put 90002 > public keys in .ssh/authorized_keys, then *any* key is accepted > regardless of which was loaded using ssh-add and no pass phrase is > requested. That behavior is exhibited using any ofthe three key lengths. > > Here is an illustration. > > # two keys with different fingerprints and pass phrases > $ ssh-keygen -l -f ./Keys768/key_rsa_90000;ssh-keygen -l \ > -f ./Keys768/key_rsa_00000; > 768 87:d2:95:1d:c6:ad:c1:af:c1:ac:94:84:1c:cf:9c:88 \ > ./Keys768/key_rsa_90000.pub (RSA) > 768 37:42:e3:de:40:64:ed:6f:a2:92:43:d4:05:52:fc:72 \ > ./Keys768/key_rsa_00000.pub (RSA) > > # clear ssh agent > ssh-add -D; > All identities removed. > > # load key 00000 > $ ssh-add ./Keys768/key_rsa_00000 > Enter passphrase for ./Keys768/key_rsa_00000: > Identity added: ./Keys768/key_rsa_00000 \ > (./Keys768/key_rsa_00000) > > # show which key is loaded (00000) > $ ssh-add -l > 768 37:42:e3:de:40:64:ed:6f:a2:92:43:d4:05:52:fc:72 \ > ./Keys768/key_rsa_00000 (RSA) > $ ssh -i ./Keys768/key_rsa_90000 -l lizard 127.0.0.1 \ > whoami > lizard > > # show that key 00000 is loaded in the agent > $ time ssh -i ./Keys768/key_rsa_00000 -l lizard 127.0.0.1 whoami > lizard > 0m3.80s real 0m0.00s user 0m0.01s system > > # now log in with two more keys we aren't using > $ time ssh -i ./Keys768/key_rsa_10000 -l lizard 127.0.0.1 whoami > lizard > 0m3.85s real 0m0.01s user 0m0.00s system > $ time ssh -i ./Keys768/key_rsa_20000 -l lizard 127.0.0.1 whoami > lizard > 0m3.84s real 0m0.00s user 0m0.01s system > > $ ssh-add -l > 768 37:42:e3:de:40:64:ed:6f:a2:92:43:d4:05:52:fc:72 \ > ./Keys768/key_rsa_00000 (RSA) > > > I have some more material also regarding how long it takes to tar or > move 90+K files in FFS. > > I realize that there may not may be too many occasions that an account > is going to be shared with that many keys, but an error message or > failure to be able to log in (with the wrong key) is what I was expecting.
Is not your "problem" just that ssh, after trying the key supplied with -i, tries any key loaded into ssh-agent? What if you try ``ssh-add -D'' before trying to login with the invalid keys? Otherwise, try adding -v to see what happens and what keys are really used to log in. /Alexander
