From eecc3a236e49c71edc08369ea77b6d9d10b0bb78 Mon Sep 17 00:00:00 2001 From: hamza-db Date: Thu, 4 Dec 2025 15:24:49 +0000 Subject: [PATCH] Fix SSH auth failures by enforcing IdentitiesOnly=yes When a specific ssh key is provided via `-i` or IdentityFile option,the SSH client may still attempt to iterate through all keys loaded in the ssh-agent first. If too many keys are loaded, this causes the server to reject the connection with "Too many authentication failures" before the correct key is attempted. --- experimental/ssh/internal/client/client.go | 1 + experimental/ssh/internal/setup/setup.go | 1 + 2 files changed, 2 insertions(+) diff --git a/experimental/ssh/internal/client/client.go b/experimental/ssh/internal/client/client.go index 6a294b5935..a3c3d78889 100644 --- a/experimental/ssh/internal/client/client.go +++ b/experimental/ssh/internal/client/client.go @@ -252,6 +252,7 @@ func spawnSSHClient(ctx context.Context, userName, privateKeyPath string, server sshArgs := []string{ "-l", userName, "-i", privateKeyPath, + "-o", "IdentitiesOnly=yes", "-o", "StrictHostKeyChecking=accept-new", "-o", "ConnectTimeout=360", "-o", "ProxyCommand=" + proxyCommand, diff --git a/experimental/ssh/internal/setup/setup.go b/experimental/ssh/internal/setup/setup.go index 4359a954da..b68fa7eef2 100644 --- a/experimental/ssh/internal/setup/setup.go +++ b/experimental/ssh/internal/setup/setup.go @@ -96,6 +96,7 @@ Host %s User root ConnectTimeout 360 StrictHostKeyChecking accept-new + IdentitiesOnly yes IdentityFile %q ProxyCommand %s `, opts.HostName, identityFilePath, proxyCommand)