Opened 7 years ago

Last modified 2 months ago

#8232 reopened Bug report

Manage SSH keys - Site Manager

Reported by: Catalin Pavel Owned by:
Priority: high Component: FileZilla Client
Keywords: sftp, too-many-authentication-failures Cc: cnpavel@…, yukihirog@…, filezilla@…
Component version: Operating system type:
Operating system version: All OSes

Description (last modified by Alexander Schuch)

Hello,

It would be great if we could specify a key to a configured sftp site in Site Manager so that each configured connection knows what key to use.
The situation is that I need to connect to more than 10 SFTP sites with different usernames and separate keys. I added all the necessary keys to FileZilla and they are all tried to each connection until one works. Usually when the key that works is among the last ones I get my user locked due to "too many authentication failures".

Thank you and looking forward for this functionality!

Regards,
Catalin

Change History (15)

comment:1 Changed 7 years ago by Catalin Pavel

Cc: cnpavel@… added

comment:2 Changed 6 years ago by Alexander Schuch

Taken from #8747:

FileZilla 3.7.0.1 on Windows 7 seems to start loading keys from Pageant before it loads keys specified in Settings/SFTP. If there are more than 4 keys in Pageant, remote SSH login fails with an error message due to too many failed authentication attempts.

A suitable resolution for this problem may be the follow two changes/procedures:

(1)
Procedure

  1. Find a match for a Settings/SFTP specified keys using Pageant, then use those keys from Pageant.
  2. If that fails, attempt to load specified keys in Settings/SFTP without Pageant. (Pageant is not needed for password less keys.)

(2)
The ability to specify keys in Site Manager per entry (session) is necessary to enable working with many sessions and keys. This prevents loading too many Settings/SFTP specified keys when there are more than 5 coexisting sessions each with a different key.
The procedure mentioned below (1) still applies.

Behavior tested with remote SSHd versions:
SSH-2.0-OpenSSH_5.9p1 Debian-3
SSH-2.0-OpenSSH_5.5p1 Debian-6+squeeze3

comment:3 Changed 6 years ago by Alexander Schuch

Keywords: too many authentication failures added; key site removed
Summary: Manage ssh keys - site managerManage SSH keys - Site Manager

comment:4 Changed 5 years ago by Yukihiro Ogawa

Cc: yukihirog@… added
Type: Feature requestBug report

FileZilla 3.9.0.2 on Windows 7:
If there are more than 6 keys specified in Settings/SFTP, remote SSH login fails with an error message due to too many failed authentication attempts.

Error message:
too many authentication failures [username].

comment:5 Changed 5 years ago by Alexander Schuch

The issue #5480 is related.

comment:6 Changed 5 years ago by Chad Roberts

Hi -
I would second the original request of being able to select a specific key in a connection profile.
With 10 keys for servers, increasing the connection attempts above 10 on each seems to not be a security best practice...
And recently, with RHEL/CentOS 6.5, a change seems to have made ssh only accept 1 key per connection attempt (at least only 1 key fingerprint appears in the logs, before it sends back the "no more auth methods available, disconnecting", even with MaxAuthTries set > 10).
Have to use pagent and load the single key for the server to connect to... (maybe some default in RHEL ssh changed, ??) Kind-of a pain to connect to different/multiple servers regularly...

Either way - seems it would make sense to only send the 1 key associated with a connection for authentication and not iterate them all, regardless of the ease of use and avoiding the "No other authentication mechanisms available" errors...

comment:7 Changed 4 years ago by Gil Shwartz

Operating system type: WindowsOther
Operating system version: All OSes

I would also like to second suggestion #2 of the original reporter. The issue of multiple key files and authentication failures due to excessive tries is becoming more frequent as users move to manage virtual servers in the cloud. A single extra field in the Site Manage would easily solve this problem.

comment:8 Changed 4 years ago by Gil Shwartz

Cc: filezilla@… added

comment:9 Changed 4 years ago by Alexander Schuch

Description: modified (diff)
Keywords: too-many-authentication-failures added; too many authentication failures removed

comment:10 Changed 4 years ago by Tim Kosse

Resolution: fixed
Status: newclosed

This will be implemented in the next version of FileZilla.

comment:11 Changed 3 years ago by superian

Which version was this implemented in, or is it still in the 'to do' list?

I'm still seeing the previous 'try every key until it works or you're rejected for trying too many' behaviour in version 3.15.0.2

comment:12 Changed 23 months ago by Charles Phillips

I am still seeing this behavior (as in #5480) in version 3.21.0 on Ubuntu.

comment:13 Changed 11 months ago by Pedro Carvalho

Resolution: fixed
Status: closedreopened

Hello, any progress on this?

I'm unable to connect to a server that uses password with Filezilla. It tries the local ssh keys, and fails to reach the password mode.

I can connect to the servers that request password with sftp client:

sftp -v -oPreferredAuthentications=password,publickey -P [..]

its the same problem described in https://trac.filezilla-project.org/ticket/5480, which refers to this one as the solution.

Would be great if we could either pass -o arguments to the underlining system, or have a option to force Filezilla into password mode.

thank you so much, hope this helps

comment:14 Changed 11 months ago by Tim Kosse

Resolution: worksforme
Status: reopenedclosed

Stop using an SSH agent if your server cannot handle several presented keys.

comment:15 Changed 2 months ago by David G. Johnson

Operating system type: Other
Resolution: worksforme
Status: closedreopened

As a long-time Filezilla user, I'm increasingly running into this problem, as apparently are other users, based upon comments on #7739 and #5480, both of which appear to be related.

I'm having a little bit of difficulty understanding where this issue stands, as I see from comment:10 that a fix would be in the (then) next version, and then the same commenter advises in comment:14 to simply stop using an SSH agent. This is not an option for me given the number of SSH sessions I use on a regular basis with the occasional need to use Filezilla for keyless (password-based) SFTP authentication. Apparently this is what other users have said as well.

I'm available for beta testing any solutions that may be attempted. Alternatively, if I'm completely missing something (such as a configuration option) that would enable a previously-implemented fix, then I apologize for re-opening this ticket, but I'm unable to locate anything along those lines.

Thank you!

Incidentally, I'm currently using Filezilla 3.28.0 on Ubuntu 18.04 LTS.

Edit: fixing link syntax to comments on other tickets.

Last edited 2 months ago by David G. Johnson (previous) (diff)
Note: See TracTickets for help on using tickets.