Unable to use one of two ssh keys to connect
 

Hi,

I am trying to connect from a Mac OS (Yosemite) to a Centos 6.6 through ssh.
I have two users that I connect to with two different pairs of keys (rsa).

For user1 I'm using ~/.ssh/id_rsa and for user2 I'm using ~/.ssh/id_user2

When I try to connect using user2's credentials, the user1's key takes precedence. I know this, because it prompts me for the mac os's user password to store the passphrase associated with the user1's private key and user2's private key doesn't have a passphrase.

I added both identities with the ssh-add -K, but I receive this error: Too many authentication failures for user2. Which means, of course, that it tries to use user1's credentials.

I even tried to add only the user2's private key with ssh-add -K, but it still tries to connect with ~/.ssh/id_rsa

Of course, I would like the keys to be used automatically depending on the user I'd like to connect through.

/etc/ssh_config contains
How can I get around this issue?

Thanks in advance

SSH permissions are pretty simple. Different user's keys don't conflict because they have different home directories and store their keys in ~/.ssh. Two people logging into the the same account from the same IP are the same user.

If you do not specify an IdentifyFile on the command line with the -i option it defaults to ~/.ssh/id_rsa and I believe when using ssh-agent the id-rsa key is offered first.

My suggestion is to create a users config fle (.ssh/config) and add the following. To login via user1 the command is ssh user1.host and user2 ssh user2.host. Change user1(2).host as desired to be any unique name as desired.

Host user1.host
hostname server
User user1
IdentityFile ~/.ssh/key_for_user1
IdentitiesOnly yes

Host user2.host
hostname server
User user2
IdentityFile ~/.ssh/key_for_user2
IdentitiesOnly yes

Well, actually, it all started from a crontab configuration in which I did specifically use rsync -e 'ssh -i /path/to/key', but nonetheless it didn't work.

Anyway, I've configured it, but when I run , I get the same error - "Too many authentication failures for user2".

Is it related to the fact that one of the private keys is called id_rsa? Maybe I should rename it, as it's the default file that ssh searches for?

I would delete or comment out the Identifyfile lines in the global ssh config file (/etc/ssh/ssh_config). Also try deleting the identities from ssh-agent:

ssh-add -D

I commented out the IdentityFile lines and I deleted the keys. Yet I get the same error. I'm thinking it might be related to the mac os keychain, I don't know.

The problem is that now I cannot connect at all with that user since I changed the pair. Before I could, eventually, after tinkering with it more or less randomly. Now it simply says Permission denied (publickey). I am trying to understand what I'm doing wrong.

I did ssh-keygen -t rsa on the client side, generated both files, and copied the public key to ~/.ssh/authorized_hosts.

I don't get it and I'm not sure how to begin to troubleshoot the problem, now that I am not 100 sure that the pair of keys are correcly configured (even though I've done it before and it works with the other user and I don't think that should be the problem).

The private keys both have 700 permission.

Only now did it cross my mind to have a look at /var/log/secure :)
It was a problem of bad ownership of the home directory (which is /backup). I gave apache group permissions to it so as to have access to it. So ssh doesn't like that, as it sees it as a security risk. And it's rather natural, now that I think of it.

What would be a good workaround for this problem? Change the home folder for that user and leave /backup as a common folder for both apache and the respective user?

This is what I would do...