"Too many authentication failures" with Nitrokey Start

Hi there,

I am using a “Nitrokey Start” at work and mostly SSH files for my private stuff. Also, I am using AWS and Azure Cloud VMs as well as local Virtual Machines with techniques like Vagrant and so on.

All this seems to fill up my gpg-agent key cache so that I am receiving the error “Too many authentication failures” when trying to connect to a server on which I need the Nitrokey-Key to connect. For the situations where I need a specific key from a file, it’s easy, since I just need to add something like this to the .ssh/config:

IdentityFile ~/.ssh/id_rsa
IdentitiesOnly yes

But for the Nitrokey - Keys, I am not aware how to achieve the same, since IdentityFile just takes Filenames, afaik.

How can I resolve this issue?

Best regards,
Marc

Hi!
Unfortunately I can’t find direct solution for that using GnuPG at the moment. As a workaround you can increase the allowed attempts server side by changing MaxAuthTries setting in /etc/ssh/sshd_config file.
You can try using OpenSC instead to limit the identities, for which OpenSSH seems to have direct support:

• openssh - SSH authentication using gpg-agent and another source for keys? - Super User
• Consistent PKCS #11 support in Red Hat Enterprise Linux 8

ssh -I opensc-pkcs11.so root@myhost
# ssh-add -s opensc-pkcs11.so

Edit: Using OpenSC through the PKCS11Provider entry in the config file seems to be the solution:

• Smart card authentication with SSH | Ubuntu
• Using SSH Public Key Authentication with a Smart Card

pkcs15-tool --read-ssh-key 00

to get the public SSH key and setting the PKCS11Provider field in the .ssh/config file:

# IdentityFile ~/.ssh/id_rsa
# IdentitiesOnly yes
PKCS11Provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so

I’d prefer to have a pure client-side solution, since not every destination system is under my control. Also, this is nothing where a server-side workaround should be required.

Anyways: The OpenSC Solution seems promising. Thank you for pointing that out!

Best regards,
Marc

Yes, I fully agree - this is entirely client side issue. Given the PKCS#11 solution I wonder, can’t the same be done for the GnuPG. To investigate further.

I know this thread is a little bit older, but I want to give another solution: Set the IdentityFile to your public SSH key.

Export your public SSH key

gpg --export-ssh-key KEYID > ~/.ssh/nitrokey.pub

And in your ~/.ssh/config

IdentityFile ~/.ssh/nitrokey.pub