Must we use ssh-agent nowadays?
In the past, I never had to use ssh-agent
and everything worked fine.
But I noticed, on GitHub, it is asking people to use ssh-agent
, even if we don't use it, it seemed fine. So I just ignore that lengthy part usually for the ssh-agent
and ssh-add
.
But for a few days I was able to log onto Bluehost, but yesterday day I added a new pair of public and private key to my MacBook Air M1, and now the log in that used to work becomes:
Received disconnect from 162.241.123.123 port 22:2: Too many authentication failures for mike123
Disconnected from 162.241.123.123 port 22
without even asking for a password. But it was strange why when it let me log in, it asked me for password, when I thought the whole idea of ssh is not requiring password.
But today, it does not even ask me for password but spit out the message above.
However, my MacBook Pro was able to log in, even though it is asking for a password.
The Bluehost tech support was saying, I should paste my private key to their Bluehost SSH panel. But I thought we should never give out our private key.
So must we use ssh-agent
now? What might be the issue of "Too many authentication failures for _____" and how is it solved?
P.S. Aftermath: I did follow the steps in the Github docs above and used ssh-agent
and ssh-add
, and created the file ~/.ssh/config
. The fact that ssh-keygen
did not create ~/.ssh/config
might suggest ~/.ssh/config
is not a usual practice, but after I did the above steps, then I was able to be asked a password and be able to log in again to Bluehost. Why it still is asking for a password, I am not sure, but at least it is letting me log in.
Solution 1:
No, there's no requirement (new or old) to use ssh-agent
.
And no, the whole idea of ssh is not that it won't require a password. One of the ideas behind ssh
is that it provides an encryption connection between the server and the client.
Determining whether the server and the client are the "right ones" (i.e. the ones you want to allow talking together) can be done through many means. One of them is simply requiring the client to enter a username and a password. If you do not supply a username, the currently logged in user's username will be used instead.
Another way of authenticating yourself to the server is using keys. The tech support agent that stated that you should paste your private key was wrong. Never give out your private key!
Instead you want to paste the public part of the key to the server's interface. This way you can login using the key instead of a username and password.
In order to ensure that others do not misuse your key, it is common practice to protect the key itself with a passphrase (i.e. not username/password, but a "long password"). If you do that, you can either enter the passphrase every time you want to login, or you can use a program like ssh-agent
so that you only have to enter the passphrase once when logging in to your computer, and then the key would be ready to use without further passphrases whenever you need to login.
The guide you have followed instructed you to create a config file. You're right that the config file is as such not required, but I won't say that it is not usual practice to have one. The reason why they ask you to create one when following the guide is to have the special instruction "UseKeychain" set. This makes it so that the passphrase protecting the key is stored in your macOS Keychain.
The practical benefit is that now you won't even have to enter the passphrase when you login to your computer. When you login to your computer like normal, that usually unlocks your Keychain as well - including your passphrase.
The fact that you're still asked for a password when logging in seems to indicate that your keys setup is not used. Make sure it is actually the password that you need to enter (and not the passphrase) - if so, that is usually because you haven't properly pasted the public part of the key to their SSH panel.