Pageant: tries only one key, SSH authentication fails

[minfrin]

Describe the bug
When Mountain Duck attempts to connect to Pageant (and I assume ssh-agent), and multiple keys are present, Mountain Duck attempts to authenticate with one key at random.

If this key is not allowed into the server, Mountain Duck then gives up trying to log in. What Mountain Duck should be doing is trying all keys until one succeeds, not just one.

As a result, we have random and unpredictable auth failures.

To Reproduce
Steps to reproduce the behavior:

1. Have smartcard with two keys.
2. Grant server access to one key.
3. Attempt to connect using Mountain Duck + Pageant.
4. Mountain Duck chooses a not-allowed key, connection is rejected, mountain duck gives up, and doesn't try the second key.

Expected behavior
All keys available are tried in turn against the server, until the correct one works.

Screenshots

Desktop (please complete the following information):

• OS: Windows
• Version Unknown (most recent, most likely)

Log Files

2023-06-15 15:47:25,732 [sshj-Reader-arnie.xxx/2a01:4f8:d1:3e01:3f0a:5d78:48f3:b220:22-1686836843476] DEBUG com.jcraft.jsch.agentproxy.sshj.AuthAgent - Attempting authentication using agent identity John Smith (Globalsign) from Titan in Certgate GmbH AirID 2 Mini USB 0
2023-06-15 15:47:25,955 [sshj-Reader-arnie.xxx/2a01:4f8:d1:3e01:3f0a:5d78:48f3:b220:22-1686836843476] DEBUG net.schmizz.concurrent.Promise - Setting <<authenticated>> to `false`
2023-06-15 15:47:25,955 [background-3] DEBUG net.schmizz.sshj.userauth.UserAuthImpl - `publickey` auth failed
2023-06-15 15:47:25,955 [background-3] WARN  ch.cyberduck.core.sftp.SFTPSession - Login refused with credentials Credentials{user='root', oauth='OAuthTokens{accessToken='', refreshToken='', expiryInMilliseconds=9223372036854775807}', token='', identity=null} and authentication method ch.cyberduck.core.sftp.auth.SFTPAgentAuthentication@1e1404d
[second key should be tried here]
2023-06-15 15:47:25,955 [background-3] DEBUG ch.cyberduck.core.sftp.SFTPSession - Remaining authentication methods [publickey, gssapi-keyex, gssapi-with-mic]

[ylangisc]

Would need some more logging context as all available identities should be tried as long as the server doesn't reject any more due to too many auth requests. Can you please share the whole log file from a connection attempt?

[minfrin]

I've sent logs via the support ticket.

[ylangisc]

Thanks for the logs.

Yes, MaxAuthTries is the correct setting to increase the number of login attempts. And as mentioned after increasing the number to 10000 the second identity was tried this time but fails too. From a client's perspective this is kind of a black box why the server rejects the correct identity. The only way I see is to check the server logs and to increase the log level if necessary.

[minfrin]

We were able to clarify that a bug in the smartcard driver was causing the client side to fail during signing with a low level error.

Instead of handling the error as "that key didn't work, let's try the next key along", Mountain Duck gives up and tries no further keys.

The server side was behaving correctly, no login attempts were completed.