Opened 12 years ago

Last modified 4 years ago

#8232 reopened Bug report

Manage SSH keys - Site Manager

Reported by: Catalin Pavel Owned by:
Priority: high Component: FileZilla Client
Keywords: sftp, too-many-authentication-failures Cc: cnpavel@…, yukihirog@…, filezilla@…
Component version: Operating system type:
Operating system version: All OSes

Description (last modified by Alexander Schuch)

Hello,

It would be great if we could specify a key to a configured sftp site in Site Manager so that each configured connection knows what key to use.
The situation is that I need to connect to more than 10 SFTP sites with different usernames and separate keys. I added all the necessary keys to FileZilla and they are all tried to each connection until one works. Usually when the key that works is among the last ones I get my user locked due to "too many authentication failures".

Thank you and looking forward for this functionality!

Regards,
Catalin

Change History (19)

comment:1 by Catalin Pavel, 12 years ago

Cc: cnpavel@… added

comment:2 by Alexander Schuch, 11 years ago

Taken from #8747:

FileZilla 3.7.0.1 on Windows 7 seems to start loading keys from Pageant before it loads keys specified in Settings/SFTP. If there are more than 4 keys in Pageant, remote SSH login fails with an error message due to too many failed authentication attempts.

A suitable resolution for this problem may be the follow two changes/procedures:

(1)
Procedure

  1. Find a match for a Settings/SFTP specified keys using Pageant, then use those keys from Pageant.
  2. If that fails, attempt to load specified keys in Settings/SFTP without Pageant. (Pageant is not needed for password less keys.)

(2)
The ability to specify keys in Site Manager per entry (session) is necessary to enable working with many sessions and keys. This prevents loading too many Settings/SFTP specified keys when there are more than 5 coexisting sessions each with a different key.
The procedure mentioned below (1) still applies.

Behavior tested with remote SSHd versions:
SSH-2.0-OpenSSH_5.9p1 Debian-3
SSH-2.0-OpenSSH_5.5p1 Debian-6+squeeze3

comment:3 by Alexander Schuch, 11 years ago

Keywords: too many authentication failures added; key site removed
Summary: Manage ssh keys - site managerManage SSH keys - Site Manager

comment:4 by Yukihiro Ogawa, 10 years ago

Cc: yukihirog@… added
Type: Feature requestBug report

FileZilla 3.9.0.2 on Windows 7:
If there are more than 6 keys specified in Settings/SFTP, remote SSH login fails with an error message due to too many failed authentication attempts.

Error message:
too many authentication failures [username].

comment:5 by Alexander Schuch, 10 years ago

The issue #5480 is related.

comment:6 by Chad Roberts, 10 years ago

Hi -
I would second the original request of being able to select a specific key in a connection profile.
With 10 keys for servers, increasing the connection attempts above 10 on each seems to not be a security best practice...
And recently, with RHEL/CentOS 6.5, a change seems to have made ssh only accept 1 key per connection attempt (at least only 1 key fingerprint appears in the logs, before it sends back the "no more auth methods available, disconnecting", even with MaxAuthTries set > 10).
Have to use pagent and load the single key for the server to connect to... (maybe some default in RHEL ssh changed, ??) Kind-of a pain to connect to different/multiple servers regularly...

Either way - seems it would make sense to only send the 1 key associated with a connection for authentication and not iterate them all, regardless of the ease of use and avoiding the "No other authentication mechanisms available" errors...

comment:7 by Gil Shwartz, 10 years ago

Operating system type: WindowsOther
Operating system version: All OSes

I would also like to second suggestion #2 of the original reporter. The issue of multiple key files and authentication failures due to excessive tries is becoming more frequent as users move to manage virtual servers in the cloud. A single extra field in the Site Manage would easily solve this problem.

comment:8 by Gil Shwartz, 10 years ago

Cc: filezilla@… added

comment:9 by Alexander Schuch, 9 years ago

Description: modified (diff)
Keywords: too-many-authentication-failures added; too many authentication failures removed

comment:10 by Tim Kosse, 9 years ago

Resolution: fixed
Status: newclosed

This will be implemented in the next version of FileZilla.

comment:11 by superian, 9 years ago

Which version was this implemented in, or is it still in the 'to do' list?

I'm still seeing the previous 'try every key until it works or you're rejected for trying too many' behaviour in version 3.15.0.2

comment:12 by Charles Phillips, 7 years ago

I am still seeing this behavior (as in #5480) in version 3.21.0 on Ubuntu.

comment:13 by Pedro Carvalho, 6 years ago

Resolution: fixed
Status: closedreopened

Hello, any progress on this?

I'm unable to connect to a server that uses password with Filezilla. It tries the local ssh keys, and fails to reach the password mode.

I can connect to the servers that request password with sftp client:

sftp -v -oPreferredAuthentications=password,publickey -P [..]

its the same problem described in https://trac.filezilla-project.org/ticket/5480, which refers to this one as the solution.

Would be great if we could either pass -o arguments to the underlining system, or have a option to force Filezilla into password mode.

thank you so much, hope this helps

comment:14 by Tim Kosse, 6 years ago

Resolution: worksforme
Status: reopenedclosed

Stop using an SSH agent if your server cannot handle several presented keys.

comment:15 by David G. Johnson, 6 years ago

Operating system type: Other
Resolution: worksforme
Status: closedreopened

As a long-time Filezilla user, I'm increasingly running into this problem, as apparently are other users, based upon comments on #7739 and #5480, both of which appear to be related.

I'm having a little bit of difficulty understanding where this issue stands, as I see from comment:10 that a fix would be in the (then) next version, and then the same commenter advises in comment:14 to simply stop using an SSH agent. This is not an option for me given the number of SSH sessions I use on a regular basis with the occasional need to use Filezilla for keyless (password-based) SFTP authentication. Apparently this is what other users have said as well.

I'm available for beta testing any solutions that may be attempted. Alternatively, if I'm completely missing something (such as a configuration option) that would enable a previously-implemented fix, then I apologize for re-opening this ticket, but I'm unable to locate anything along those lines.

Thank you!

Incidentally, I'm currently using Filezilla 3.28.0 on Ubuntu 18.04 LTS.

Edit: fixing link syntax to comments on other tickets.

Last edited 6 years ago by David G. Johnson (previous) (diff)

comment:16 by logtom, 5 years ago

I use "IdentitiesOnly yes" in SSH config, and create a separate keypair for every server I access.

Is there an easy way to tell filezilla to read my .ssh/config to figure out which key to use?

comment:17 by Catalin Pavel, 4 years ago

I see the issue is not solved after 8 years :(
As an example that I run into today:
Need to connect to a server that requests both PPK key and password.

  1. I still need to upload the keys in EDIT->Settings->SFTP and not in the Site Manager in order to work
  2. Don't have and Pass+Key option in the Site Manager connection (even if it works if you put the keys in Settings and select Normal auth in the Site Connection
  3. The keys are still tried sequentially

BR,
Catalin

P.S. We switched to WinSCP a long time ago due to this matter...

comment:18 by atpage, 4 years ago

Still broken for me in 2020 as well. I'm unable to connect to a server that's expecting a password, because there's no way to make Filezilla send a password before keys. Ideally it should follow the settings in ~/.ssh/config when connecting to an SFTP site. You shouldn't have to kill your ssh-agent to use Filezilla with a password.

comment:19 by tranzium, 4 years ago

Assign the private key within PuTTy: Connection > SSH > Auth

Although in Windows, I was so thankful that I was able to solve this and stick with FileZilla.

Note: See TracTickets for help on using tickets.