If you’ve read Filippo Valsorda’s guide to using mosh+tmux in a smart way, you’ve probably also noticed that, with mosh, specifying an ssh keyfile is no longer a relatively simple matter of typing:
ssh -i ~/.ssh/keyfilename [...]
but it’s now this mess:
mosh --ssh="ssh -i ~/.ssh/keyfilename" [...]
and that is rather cumbersome, especially considering there’s a better way anyway to manage ssh keyfiles.
If you’re like me, you might have dozens of private key files stored in your local ~/.ssh/ directory, perhaps one for every organization, provider, and datacenter / location combination.
You might have also noticed that sometimes, even without specifying a keyfile, connections go through anyway, and that’s because your local client is cycling through each locally stored key and using it to authenticate against the server. Except that after a certain number of attempts the server will terminate the connection and return:
Received disconnect from [server-address] port 22:2: Too many authentication failures Connection to [server] closed by remote host. Connection to [server] closed.
So if you have fewer keys than the maximum number of attempts the server allows, or if the client happens to try them in the right order, you’re good, but any other time you will get kicked off, and you’ll have to manually specify the keyfile as shown above.
There’s an easy fix however. Simply log into all of your servers and:
# nano /etc/ssh/sshd_config ### Increase the number of max attempts to a number higher than your keyfiles MaxAuthTries 16 ### save and exit with control-x and press y when prompted
Now restart the ssh daemon:
# service ssh restart
Do not exit the current session yet, open a new terminal window, and log in [via ssh or mosh, doesn’t matter] to the server without specifying a keyfile, and it should let you in no questions asked!
If everything worked correctly, you can exit the original session, otherwise keep it open, by all means, and double-check your work, and don’t leave it until you are sure you can open a new connection to the server, or else you will be locked out as soon as you close the original session.
This of course will work best in conjunction with global host settings on your client, which you can do by simply doing – on your client:
# nano ~/.ssh/config ### Add the following lines: Host * Port 42022 User root ### if, for instance, most of your servers have a custom SSH port [like 42022 in my case] and you log in directly as root ### save and exit
This will apply global settings for all of your ssh connections, and you can specify pattern-specific settings for specific servers as well.
In the end, thanks to these simple tips, you’ll reach ninja-admin status and the holy grail of turning:
mosh --ssh="ssh -i ~/.ssh/keyfilename -p42022" root@server-hostname-or-ip
Also, if you are into servers and security, check out our first-boot hardening script for Debian/Ubuntu machines, called inception. Among several things, it automatically configures everything that is described in this article on you server with no extra effort.