Bug 2024

Summary:

Allow to ssh client say to ssh-agent which key should be used.

Product:

Portable OpenSSH

Reporter:

Anton Chevychalov <pub>

Component:

ssh-agent

Assignee:

Assigned to nobody <unassigned-bugs>

Status:

CLOSED FIXED

Severity:

enhancement

CC:

djm, dtucker

Priority:

Version:

6.0p1

Hardware:

Other

OS:

Linux

Bug Depends on:

Bug Blocks:

2076

Attachments:

Description	Flags
Document interaction of IdentitiesOnly, IdentityFile and ssh-agent more explicitly	dtucker: ok+

Description Anton Chevychalov 2012-07-06 18:57:03 AEST

There is no way to say ssh-agent which one of keys should be used. That's why it tries to use all of them in order and if you have more than 5 keys, you will receive "Too many authentication failures for".

It's bad and I have no idea how to workaround this problem without modification of source code.

Comment 1 Darren Tucker 2012-07-06 19:27:10 AEST

Didn't IdentitiesOnly do what you want?  That plus IdentityFile should cause the client to only try the key specified by IdentityFile.

IdentitiesOnly
  Specifies that ssh(1) should only use the authentication identity
  files configured in the ssh_config files, even if ssh-agent(1)
  offers more identities.  The argument to this keyword must be
  "yes" or "no".  This option is intended for situations where ssh-
  agent offers many different identities.  The default is "no".

IdentityFile
  Specifies a file from which the user's RSA or DSA authentication
  identity is read.  The default is ~/.ssh/identity for protocol
  version 1, and ~/.ssh/id_rsa and ~/.ssh/id_dsa for protocol ver-
  sion 2.  Additionally, any identities represented by the authen-
  tication agent will be used for authentication.

Comment 2 Anton Chevychalov 2012-07-06 19:47:39 AEST

As far as I understand parameters "-i" and "IdentityFile" can be used only for authentication without ssh-agent. It means when you say -i ~/.ssh/id_rsa it will try to find this on file system, not in ssh-agent.

I want to have something like -i but for case when my keys not on file system but in ssh-agent.

Comment 3 Darren Tucker 2012-07-06 20:00:39 AEST

-i or IdentityFile will use a key from the agent if it has one with a matching fingerprint.  IdentitiesOnly will use only the identities specified by IdentityFile, and if the agent has it that's what will get used.  The man page doesn't really mention this, so maybe we should add something.

Comment 4 Anton Chevychalov 2012-07-06 20:32:21 AEST

Оh. It's really nice! It means that everything I need is ssh-agent with previously imported keys and pub keys as a source of fingerprints. 

I think it should be mentioned in man pages just because a lot of people think it can't work. 

But why there is no search by key name? I mean that name is more simple that fingerprint and you can store this parameter in ssh_config.

Comment 5 Damien Miller 2012-09-07 11:29:53 AEST

Created attachment 2186 [details]
Document interaction of IdentitiesOnly, IdentityFile and ssh-agent more explicitly

Comment 6 Damien Miller 2013-06-21 10:38:07 AEST

patch applied - this will be in openssh-6.3

Comment 7 Damien Miller 2016-08-02 10:42:04 AEST

Close all resolved bugs after 7.3p1 release