OpenSSH
I was trying to push a new git repo on another git server (git is peer-to-peer) to publish transparent open access data for my work. For the record, it was using Gitlab đźâđš.
Imagine my surprise (not) when I saw the message âReceived disconnect from X.X.X.X port 22:2: Too many authentication failuresâ. Being a good pupil, all my SSH connections are protected with SSHâŻkey (except for one organization, but this will maybe be explained in another post). All my SSH keys expire (manually, as I delete them) every year, and this was the second time I used this SSH key.
I have two mirrorsâŻ: one on my personal repo, one on the office repo. Two different SSH keys, of course, and the configuration worked for the first one⊠So, why should I get this đ§ ?
git push
ĂnumĂ©ration des objets: 26, fait.
DĂ©compte des objets: 100% (26/26), fait.
Compression par delta en utilisant jusqu'à 14 fils d'exécution
Compression des objets: 100% (23/23), fait.
Ăcriture des objets: 100% (26/26), 120.55 Kio | 15.07 Mio/s, fait.
Total 26 (delta 0), réutilisés 0 (delta 0), réutilisés du pack 0
remote: Checking connectivity: 26, done.
To git.linarphy.net:linarphy/step2angle.git
* [new branch] main -> main
La branche 'main' est paramétrée pour suivre la branche distante 'main' depuis 'origin'.
Received disconnect from X.X.X.X port 22:2: Too many authentication failures
Disconnected from X.X.X.X port 22
fatal: Impossible de lire le dépÎt distant.
Veuillez vérifier que vous avez les droits d'accÚs
et que le dépÎt existe.
Thatâs not good. So IâŻtry to ssh in the server, directly, with `ssh git@hostname -vvv', and⊠surprise ! It doesnât look at the good key. I check my configuration, everything looks good⊠I re-check with the exact same command and configuration and⊠TADAAAA, it works now đ„ł.
So, I try to git push again, and everything works again.
I donât know what the root cause is, and I may never know đ€š. But there are multiple identifiable cause that increase the frequency of this type of issues.
First, OpenSSH client. It has a great history, one of the oldest SSH server and client, still there and doing great, implementing tons of stuff đ§. Yet, it still forces people to create a .ssh folder in their $HOME directory without caring about .config which is a specification that has more than 20 years (for the 0.6 version). I was not born when the specification was starting to be crafted, and OpenSSH still does not care đĄ.
Even Mozilla now (since one month) respect this specification.
Yes, you can force OpenSSH to use a custom config file with the -F option. But then, you have to work additional hours to adapt every software configuration that uses OpenSSH in the background to add this flag everywhere (when it is possible !).
Speaking about configuration file, its syntax is weird. I know how to read the doc, so itâs fine, but still.
But the strangest thing is its inability to select ONLYâŻONE key. When you add the nice -i /path/to/ssh/key argument, OpenSSH will still try others keys. I KNOW other keys wonât work. Stop trying everything you can to connect to the server. That is not sane default đ€Ź ! If you donât ask for any key, I understand, but if you ask specifically for one, why using other keysâŻ?
And itâs worse than what you think: If there is a mistake in your configuration, OpenSSH will accept it and if a valid key still exists, the user wonât know the key specified in the configuration is bad. So when you will clean your devil ~/.ssh folder and delete «unused keysâŻÂ», the surprise of being locked out, without any SSH key to connect to your server, will not be nice. Donât worry, even if you donât delete any keys, adding too many keys will make OpenSSH take minutes to find the good one, and you will think that the server is slow đ.
Erratum: I just discovered the -o IdentitiesOnly=yes option, but the fact that it not the default when specifying -i /path/key is beyond my comprehension.
Letâs speak about the verbosity of the SSH client, too. I want to know, first, if everything go right, then, how my configuration file is used, then what packet I send and receive with their code. Right now, you can get the first and last information, but good luck understanding if OpenSSH does what it does because you wrote something or if this is default behavior.
The second factor is Gitlab connection. Sometimes it works, sometime not. And being self-hosted software is no excuse. Codeberg, with forgejo, does well better, and without the AI bullshit đ© and without being a huge company. Gitlab has a lot of feature, that you will absolutely never use, and this clutters your entire screen, which makes every operation harder than it should.