Opened 12 years ago
Last modified 4 years ago
#8232 reopened Bug report
Manage SSH keys - Site Manager
| Reported by: | Catalin Pavel | Owned by: | |
|---|---|---|---|
| Priority: | high | Component: | FileZilla Client |
| Keywords: | sftp, too-many-authentication-failures | Cc: | cnpavel@…, yukihirog@…, filezilla@… |
| Component version: | Operating system type: | ||
| Operating system version: | All OSes |
Description (last modified by )
Hello,
It would be great if we could specify a key to a configured sftp site in Site Manager so that each configured connection knows what key to use.
The situation is that I need to connect to more than 10 SFTP sites with different usernames and separate keys. I added all the necessary keys to FileZilla and they are all tried to each connection until one works. Usually when the key that works is among the last ones I get my user locked due to "too many authentication failures".
Thank you and looking forward for this functionality!
Regards,
Catalin
Change History (19)
comment:1 by , 12 years ago
| Cc: | added |
|---|
comment:2 by , 11 years ago
comment:3 by , 11 years ago
| Keywords: | too many authentication failures added; key site removed |
|---|---|
| Summary: | Manage ssh keys - site manager → Manage SSH keys - Site Manager |
comment:4 by , 10 years ago
| Cc: | added |
|---|---|
| Type: | Feature request → Bug report |
FileZilla 3.9.0.2 on Windows 7:
If there are more than 6 keys specified in Settings/SFTP, remote SSH login fails with an error message due to too many failed authentication attempts.
Error message:
too many authentication failures [username].
comment:6 by , 10 years ago
Hi -
I would second the original request of being able to select a specific key in a connection profile.
With 10 keys for servers, increasing the connection attempts above 10 on each seems to not be a security best practice...
And recently, with RHEL/CentOS 6.5, a change seems to have made ssh only accept 1 key per connection attempt (at least only 1 key fingerprint appears in the logs, before it sends back the "no more auth methods available, disconnecting", even with MaxAuthTries set > 10).
Have to use pagent and load the single key for the server to connect to... (maybe some default in RHEL ssh changed, ??) Kind-of a pain to connect to different/multiple servers regularly...
Either way - seems it would make sense to only send the 1 key associated with a connection for authentication and not iterate them all, regardless of the ease of use and avoiding the "No other authentication mechanisms available" errors...
comment:7 by , 10 years ago
| Operating system type: | Windows → Other |
|---|---|
| Operating system version: | → All OSes |
I would also like to second suggestion #2 of the original reporter. The issue of multiple key files and authentication failures due to excessive tries is becoming more frequent as users move to manage virtual servers in the cloud. A single extra field in the Site Manage would easily solve this problem.
comment:8 by , 10 years ago
| Cc: | added |
|---|
comment:9 by , 9 years ago
| Description: | modified (diff) |
|---|---|
| Keywords: | too-many-authentication-failures added; too many authentication failures removed |
comment:10 by , 9 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
This will be implemented in the next version of FileZilla.
comment:11 by , 9 years ago
Which version was this implemented in, or is it still in the 'to do' list?
I'm still seeing the previous 'try every key until it works or you're rejected for trying too many' behaviour in version 3.15.0.2
comment:12 by , 7 years ago
I am still seeing this behavior (as in #5480) in version 3.21.0 on Ubuntu.
comment:13 by , 6 years ago
| Resolution: | fixed |
|---|---|
| Status: | closed → reopened |
Hello, any progress on this?
I'm unable to connect to a server that uses password with Filezilla. It tries the local ssh keys, and fails to reach the password mode.
I can connect to the servers that request password with sftp client:
sftp -v -oPreferredAuthentications=password,publickey -P [..]
its the same problem described in https://trac.filezilla-project.org/ticket/5480, which refers to this one as the solution.
Would be great if we could either pass -o arguments to the underlining system, or have a option to force Filezilla into password mode.
thank you so much, hope this helps
comment:14 by , 6 years ago
| Resolution: | → worksforme |
|---|---|
| Status: | reopened → closed |
Stop using an SSH agent if your server cannot handle several presented keys.
comment:15 by , 6 years ago
| Operating system type: | Other |
|---|---|
| Resolution: | worksforme |
| Status: | closed → reopened |
As a long-time Filezilla user, I'm increasingly running into this problem, as apparently are other users, based upon comments on #7739 and #5480, both of which appear to be related.
I'm having a little bit of difficulty understanding where this issue stands, as I see from comment:10 that a fix would be in the (then) next version, and then the same commenter advises in comment:14 to simply stop using an SSH agent. This is not an option for me given the number of SSH sessions I use on a regular basis with the occasional need to use Filezilla for keyless (password-based) SFTP authentication. Apparently this is what other users have said as well.
I'm available for beta testing any solutions that may be attempted. Alternatively, if I'm completely missing something (such as a configuration option) that would enable a previously-implemented fix, then I apologize for re-opening this ticket, but I'm unable to locate anything along those lines.
Thank you!
Incidentally, I'm currently using Filezilla 3.28.0 on Ubuntu 18.04 LTS.
comment:16 by , 5 years ago
I use "IdentitiesOnly yes" in SSH config, and create a separate keypair for every server I access.
Is there an easy way to tell filezilla to read my .ssh/config to figure out which key to use?
comment:17 by , 4 years ago
I see the issue is not solved after 8 years :(
As an example that I run into today:
Need to connect to a server that requests both PPK key and password.
- I still need to upload the keys in EDIT->Settings->SFTP and not in the Site Manager in order to work
- Don't have and Pass+Key option in the Site Manager connection (even if it works if you put the keys in Settings and select Normal auth in the Site Connection
- The keys are still tried sequentially
BR,
Catalin
P.S. We switched to WinSCP a long time ago due to this matter...
comment:18 by , 4 years ago
Still broken for me in 2020 as well. I'm unable to connect to a server that's expecting a password, because there's no way to make Filezilla send a password before keys. Ideally it should follow the settings in ~/.ssh/config when connecting to an SFTP site. You shouldn't have to kill your ssh-agent to use Filezilla with a password.
comment:19 by , 4 years ago
Assign the private key within PuTTy: Connection > SSH > Auth
Although in Windows, I was so thankful that I was able to solve this and stick with FileZilla.
Taken from #8747:
FileZilla 3.7.0.1 on Windows 7 seems to start loading keys from Pageant before it loads keys specified in Settings/SFTP. If there are more than 4 keys in Pageant, remote SSH login fails with an error message due to too many failed authentication attempts.
A suitable resolution for this problem may be the follow two changes/procedures:
(1)
Procedure
(2)
The ability to specify keys in Site Manager per entry (session) is necessary to enable working with many sessions and keys. This prevents loading too many Settings/SFTP specified keys when there are more than 5 coexisting sessions each with a different key.
The procedure mentioned below (1) still applies.
Behavior tested with remote SSHd versions:
SSH-2.0-OpenSSH_5.9p1 Debian-3
SSH-2.0-OpenSSH_5.5p1 Debian-6+squeeze3