tests/vm: use -o IdentitiesOnly=yes for ssh

[PATCH] tests/vm: use -o IdentitiesOnly=yes for ssh

Posted by Ilya Leoshkevich 1 year, 6 months ago

When one has a lot of keys in ~/.ssh directory, the ssh command will
try all of them before the one specified on the command line, and this
may cause the remote ssh server to reject the connection due to too
many failed authentication attempts.

Fix by adding -o IdentitiesOnly=yes, which makes the ssh client
consider only the keys specified on the command line.

Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
---
 tests/vm/basevm.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/tests/vm/basevm.py b/tests/vm/basevm.py
index 4fd9af10b7f..2276364c42f 100644
--- a/tests/vm/basevm.py
+++ b/tests/vm/basevm.py
@@ -233,7 +233,8 @@ def _ssh_do(self, user, cmd, check):
                    "-o", "UserKnownHostsFile=" + os.devnull,
                    "-o",
                    "ConnectTimeout={}".format(self._config["ssh_timeout"]),
-                   "-p", str(self.ssh_port), "-i", self._ssh_tmp_key_file]
+                   "-p", str(self.ssh_port), "-i", self._ssh_tmp_key_file,
+                   "-o", "IdentitiesOnly=yes"]
         # If not in debug mode, set ssh to quiet mode to
         # avoid printing the results of commands.
         if not self.debug:
-- 
2.37.2

Re: [PATCH] tests/vm: use -o IdentitiesOnly=yes for ssh

Posted by Alex Bennée 1 year, 6 months ago

Ilya Leoshkevich <iii@linux.ibm.com> writes:

> When one has a lot of keys in ~/.ssh directory, the ssh command will
> try all of them before the one specified on the command line, and this
> may cause the remote ssh server to reject the connection due to too
> many failed authentication attempts.
>
> Fix by adding -o IdentitiesOnly=yes, which makes the ssh client
> consider only the keys specified on the command line.
>
> Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>

Queued to testing/next, thanks.

-- 
Alex Bennée

Re: [PATCH] tests/vm: use -o IdentitiesOnly=yes for ssh

Posted by Thomas Huth 1 year, 6 months ago

On 27/10/2022 13.30, Ilya Leoshkevich wrote:
> When one has a lot of keys in ~/.ssh directory, the ssh command will
> try all of them before the one specified on the command line, and this
> may cause the remote ssh server to reject the connection due to too
> many failed authentication attempts.
> 
> Fix by adding -o IdentitiesOnly=yes, which makes the ssh client
> consider only the keys specified on the command line.
> 
> Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
> ---
>   tests/vm/basevm.py | 3 ++-
>   1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/tests/vm/basevm.py b/tests/vm/basevm.py
> index 4fd9af10b7f..2276364c42f 100644
> --- a/tests/vm/basevm.py
> +++ b/tests/vm/basevm.py
> @@ -233,7 +233,8 @@ def _ssh_do(self, user, cmd, check):
>                      "-o", "UserKnownHostsFile=" + os.devnull,
>                      "-o",
>                      "ConnectTimeout={}".format(self._config["ssh_timeout"]),
> -                   "-p", str(self.ssh_port), "-i", self._ssh_tmp_key_file]
> +                   "-p", str(self.ssh_port), "-i", self._ssh_tmp_key_file,
> +                   "-o", "IdentitiesOnly=yes"]
>           # If not in debug mode, set ssh to quiet mode to
>           # avoid printing the results of commands.
>           if not self.debug:

Ah, great, I've run into this problem in the past already, too, but I didn't 
find that config switch! Good to know that there is a solution!

Reviewed-by: Thomas Huth <thuth@redhat.com>