OSX: clean up OSX SSH keyring

Introduction

For quite some time, I have struggled with the following error message:

Received disconnect from 192.168.4.223 port 22:2: Too many authentication failures

This normally comes when you have way too many ssh keys in your .ssh directory, as the default sshd config on most Linux systems limits you to 6 authentication attempts.

myUserpi@wue-irrigation-r01:~ $ grep MaxAuthTries /etc/ssh/sshd_config 
#MaxAuthTries 6

I happened to have 7 entries that my gpg-agent wanted to use, although I really did not have that many on hand.

(venv) [maglub@Magnuss-MacBook-Pro-2:~]$ ssh-add -l
2048 SHA256:hTgZ3y4k+xptgCIdYyfo0zrvWy1z/tKDzHm7jYNPeKc cardno:000607543890 (RSA)
256 SHA256:5o4P9m745yN1/6llE0ZyZfIsSxyqMfMPNJrPKfUzP4o malu@kmg-mcp001.local (ED25519)
2048 SHA256:g5ltwN1Fu+BdTsJiJeLTeruglmUCrqDMErbAW4mvBG0 /Users/maglub/.ssh/id_rsa (RSA)
256 SHA256:7iRjE2tSsU0u/tnyen9wiyohz4V0UQfiKOSRE9NWcr8 ubuntu@no-name (ED25519)
4096 SHA256:UhgZhyhrzIOnJYlCPMgSTbuMtschI/RjHw7FgYXMq6I ops-mlue.key (RSA)
256 SHA256:6v1PKv0y9/bZF+IC0lL+4q8lnX+cG2XwDaqi4zKTND8 ops@com-adm-l01 (ED25519)
2048 SHA256:4e/qQX/gPKAJmWDeFiSlsz7PVBvS1MFf7QaN6VByQ1I /home/ubuntu/.ssh/id_rsa (RSA)

It did not really matter how much I tried to invalidate the keys (well, I tried to remove the obsolete keys, which might not count as trying very hard).

I worked around this by upping the MaxAuthTries to 30 on the systems I had to log in on.

myUser@wue-irrigation-r01:~ $ grep MaxAuthTries /etc/ssh/sshd_config
MaxAuthTries 30

myUser@wue-irrigation-r01:~ $ sudo systemctl restart sshd

This is not really a long term solution, and to fix it you just have to remove the keys from your keyring. Enter Stack Exchange… https://unix.stackexchange.com/questions/185393/gpg-agent-doesnt-remove-my-ssh-key-from-the-keyring

This took me half way.

  • gpg-connect-agent
  • KEYINFO --ssh-list --ssh-fpr

The next issue was that the gpg agent show me MD5 hashes, and ssh-add -l showed me the hashes in SHA256. Since I am not a good enough developer, and that I lack some skills in cryptology, I could not quickly throw together a SHA256 to MD5 converter.

Instead I read the man 1 page for ssh-add:

     -E fingerprint_hash
             Specifies the hash algorithm used when displaying key fingerprints.  Valid options are: md5 and sha256.  The default is sha256.

So, with this I could identify my keys with MD5:

(venv) [maglub@Magnuss-MacBook-Pro-2:~]$ ssh-add -l -E md5
2048 MD5:be:64:d3:79:84:b3:78:ea:cc:06:61:e3:9b:d2:0b:a4 cardno:000607543890 (RSA)
256 MD5:42:26:54:ff:1b:a4:cf:8d:92:07:ff:d3:4b:93:83:49 malu@kmg-mcp001.local (ED25519)
2048 MD5:66:9c:0d:2e:5c:56:bf:17:b4:ab:2f:20:98:90:5d:d7 /Users/maglub/.ssh/id_rsa (RSA)
256 MD5:7e:d8:15:c6:8d:63:f0:eb:9d:99:70:46:90:f0:ef:a7 ubuntu@no-name (ED25519)
4096 MD5:bc:e2:fa:59:e5:36:87:b6:de:6a:9a:91:40:d8:9c:86 ops-mlue.key (RSA)
256 MD5:f7:bc:26:01:15:3e:89:29:8a:b6:fd:9d:0b:b9:90:9b ops@com-adm-l01 (ED25519)
2048 MD5:d2:66:6a:82:3f:cb:f5:0f:23:ac:a4:e4:4d:7c:2a:c4 /home/ubuntu/.ssh/id_rsa (RSA)

After checking which keys I really use, I could remove them from the keyring.

(venv) [maglub@Magnuss-MacBook-Pro-2:~]$ gpg-connect-agent
> DELETE_KEY 60407DF04E06D80F987C32C85F3A38E54D1E22D2
OK
> DELETE_KEY BB2D702632AFE4D67A9F957AA6783C501793CF29
OK
> DELETE_KEY 91463F7E29F74C3484A1C380B7DA735B00E90545
OK
> DELETE_KEY 78D8C0A79A410D0676CC169A3C7FB6062CD1DDF3
OK

Mission complete!

References