Although I am known to prefer command line tools, FileZilla is a tool that has accompanied me fore a very long time, although seldomly used.

Using it again after some time, I stumbled across this error, when connecting to a site:

Status:	Connecting to sshd.example.com...
Response:	fzSftp started, protocol_version=9
Command:	open "demouser@sshd.example.com" 22
Error:	FATAL ERROR: Remote side sent disconnect message
Error:	type 2 (protocol error):
Error:	"Too many authentication failures"
Error:	Could not connect to server

The message „Too many authentication failures” is issued by the sshd server. This gets controlled by the MaxAuthTries option in the sshd_config file, which

Specifies the maximum number of authentication attempts permitted per connection. Once the number of failures reaches half this value, additional failures are logged. The default is 6.

So why were there more then 6 authentication attempts, when I just tried to connect once?

Well, turning on debug mode in FileZilla helped identifying the issue. This is similar to using -vvv with ssh, showing you much more verbose output on what is going on during the initial connection. And it showed me the culprit:

Status:	Connecting to sshd.example.com...
Response:	fzSftp started, protocol_version=9
Command:	open "demouser@sshd.example.com" 22
Trace:	Using SSH protocol version 2
Trace:	Doing ECDH key exchange with curve Curve25519 and hash SHA-256 (unaccelerated)
Trace:	Pageant is running. Requesting keys.
Trace:	Pageant has 11 SSH-2 keys
Trace:	Trying Pageant key #0
Trace:	Server refused our key
Trace:	Trying Pageant key #1
Trace:	Server refused our key
Trace:	Trying Pageant key #2
Trace:	Server refused our key
Trace:	Trying Pageant key #3
Trace:	Server refused our key
Trace:	Trying Pageant key #4
Trace:	Server refused our key
Trace:	Trying Pageant key #5
Trace:	Remote side sent disconnect message type 2 (protocol error): "Too many authentication failures"
Error:	FATAL ERROR: Remote side sent disconnect message

As you can see, FileZilla is communicating with the ssh-agent on my local machine (using „pageant” as the name, as this is the „putty” ssh agent on Windows OS), which tells him basically „here are the 11 keys I know of” and FileZilla runs along and tries each and every one of them, causing sshd to say „no” after the 6th attempt.

In ssh/scp, you can control this behaviour via the IdentitiesOnly option in the ssh_config:

Specifies that ssh(1) should only use the configured authentication identity and certificate files (either the default files, or those explicitly configured in the ssh_config files or passed on the ssh(1) command-line), even if ssh-agent(1) or a PKCS11Provider or SecurityKeyProvider offers more identities. The argument to this keyword must be yes or no (the default). This option is intended for situations where ssh-agent offers many different identities.

So FileZilla does not offer something similar, so we have to make it believe, that there is no ssh agent running, that it might talk to. This is easily done by setting SSH_AUTH_SOCK=”„ before starting FileZilla.

To automate this, copy the filezilla.desktop file to your local path and modify the exec line like so:

cp /usr/share/applications/filezilla.desktop ~/.local/share/applications 
gvim ~/.local/share/applications/filezilla.desktop  
...
Exec=env SSH_AUTH_SOCK="" filezilla
...

And with that, the annoying error is gone :D

Tagged as: configuration, filezilla, linux, mint, sw | Author: Martin Leyrer
[Sonntag, 20211226, 22:42 | permanent link | 0 Kommentar(e)