| Summary: | explicit IdentityFile has lower priority than agent keys | ||
|---|---|---|---|
| Product: | Portable OpenSSH | Reporter: | Ilya Basin <basinilya> |
| Component: | ssh | Assignee: | Assigned to nobody <unassigned-bugs> |
| Status: | CLOSED WONTFIX | ||
| Severity: | enhancement | CC: | djm, dtucker |
| Priority: | P5 | ||
| Version: | 7.9p1 | ||
| Hardware: | Other | ||
| OS: | Windows 7 | ||
I think IdentiesOnly does what you want:
IdentitiesOnly
Specifies that ssh(1) should only use the authentication identity
and certificate files explicitly configured in the ssh_config
files or passed on the ssh(1) command-line, even if ssh-agent(1)
or a PKCS11Provider offers more identities. The argument to this
keyword must be yes or no (the default). This option is intended
for situations where ssh-agent offers many different identities.
Even with IdentitiesOnly=yes among explicitly listed keys agent keys take precedence, regardless of the order in the command line: ssh -vvv -oIdentitiesOnly=yes -oBatchMode=yes -i ~/.ssh/zzz-test2.id_rsa -i ~/.ssh/id_rsa localhost date ... debug1: Will attempt key: /home/il/.ssh/id_rsa RSA xxx explicit agent debug1: Will attempt key: /home/il/.ssh/zzz-test2.id_rsa RSA xxx explicit I still think it is natural to expect that `ssh -i identity_file` will first try the identity_file without the need to specify additional options. This is deliberate - agent keys are always preferred because they will typically not require the user enter a passphrase, whereas keys on the filesystem are far more likely to. IMO this gives the best experience for the majority of users. closing resolved bugs as of 8.6p1 release |
I need to offer a non-default ssh key when I access some git repos. In my `~/.gitconfig` I have: [url "git@gh-org:privateorg/"] insteadOf = git@github.com:privateorg/ And in my `~/.ssh/config` I have: Host gh-org HostName github.com IdentityFile ~/.ssh/zzz-basi01.id_rsa.disabled `.disabled` means it should not be added to the agent automatically so I don't have too many keys in it (to address "Too many authentication failures" on password-protected servers). However, if the key is *not* added to the agent, when I try to connect, ssh first tries the agent keys: debug1: Will attempt key: /home/basin/.ssh/id_rsa RSA xxxxx agent debug1: Will attempt key: funktestkey RSA xxxx agent debug1: Will attempt key: /home/basin/.ssh/zzz-basi01.id_rsa.disabled explicit ... debug1: Offering public key: /home/basin/.ssh/id_rsa RSA xxxxx agent ... debug1: Server accepts key: /home/basin/.ssh/id_rsa RSA xxxx agent The workaround is to disable agent usage with `IdentityAgent none`. However, I expect ssh to try the identities from agent and files in the mixed manner, explicit first.