Opened 3 hours ago
#13217 new Feature request
Allow specifying a public key file to filter SSH-Agent keys for authentication
| Reported by: | EchoPhage | Owned by: | |
|---|---|---|---|
| Priority: | normal | Component: | FileZilla Client |
| Keywords: | SSH, SFTP, Agent, Key Management, Security, Rate Limit | Cc: | EchoPhage |
| Component version: | Operating system type: | ||
| Operating system version: |
Description
Current Behavior:
FileZilla currently supports SSH authentication via an SSH-Agent (e.g., OpenSSH Agent, 1Password SSH Agent, Pageant). However, when using an agent that holds multiple keys, FileZilla sequentially attempts all available keys until one is accepted by the server.
This behavior is problematic in some cases:
Security concern: The server sees multiple failed authentication attempts before the correct key is used, which could trigger security alerts or lockouts.
Rate limits: Some servers limit authentication attempts and may deny access after multiple failures.
Performance: Trying multiple keys introduces unnecessary delays in establishing connections.
Proposed Enhancement:
I suggest adding an option in FileZilla's connection settings to specify a public key file (.pub).
The key mechanism should work as follows:
User specifies a .pub file in FileZilla’s settings (or through an SSH config entry).
FileZilla extracts the key fingerprint from the .pub file.
FileZilla requests only this key from the SSH-Agent, instead of iterating over all available keys.
Only the specified key is used for authentication, avoiding unnecessary rejections.
Important Clarification:
Currently, FileZilla allows users to specify a private key in its settings, but that bypasses the SSH-Agent entirely. What I am proposing here is not about manually specifying a private key inside FileZilla, but about using a public key file (.pub) as a filter to tell FileZilla which key to request from the SSH-Agent.
This is already possible in OpenSSH by setting:
Host example.com
User myuser
IdentityAgent ~/.1password/agent.sock
IdentitiesOnly yes
IdentityFile ~/.ssh/my_key.pub
With this configuration, OpenSSH only asks the agent for the matching private key of the .pub file, preventing unnecessary key attempts. However, FileZilla currently ignores this behavior and still tries all available agent keys, leading to potential security issues and rate limits.
Benefits:
Reduces authentication failures due to unnecessary key attempts.
Improves security by not exposing multiple key attempts to the server.
Avoids potential connection delays due to multiple rejections.
Aligns FileZilla’s SSH behavior with OpenSSH, which allows selecting a key via IdentityFile in ~/.ssh/config.
Works with all SSH-Agent implementations, including 1Password’s SSH-Agent.
Existing Efforts?
I have checked the FileZilla Trac System but have not found any similar requests. If this feature has already been discussed or requested, I sincerely apologize for the oversight. Could you kindly provide the ticket number? I would be happy to follow up there instead.
Would it be possible to implement such an option in FileZilla?
Thank you for considering this feature request!
