Bug 2970

Summary: explicit IdentityFile has lower priority than agent keys
Product: Portable OpenSSH Reporter: Ilya Basin <basinilya>
Component: sshAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED WONTFIX    
Severity: enhancement CC: djm, dtucker
Priority: P5    
Version: 7.9p1   
Hardware: Other   
OS: Windows 7   

Description Ilya Basin 2019-02-18 20:35:53 AEDT 
I need to offer a non-default ssh key when I access some git repos. In my `~/.gitconfig` I have:

    [url "git@gh-org:privateorg/"]
            insteadOf = git@github.com:privateorg/

And in my `~/.ssh/config` I have:

    Host gh-org
            HostName github.com
            IdentityFile ~/.ssh/zzz-basi01.id_rsa.disabled

`.disabled` means it should not be added to the agent automatically so I don't have too many keys in it (to address "Too many authentication failures" on password-protected servers).

However, if the key is *not* added to the agent, when I try to connect, ssh first tries the agent keys:

    debug1: Will attempt key: /home/basin/.ssh/id_rsa RSA xxxxx agent
    debug1: Will attempt key: funktestkey RSA xxxx agent
    debug1: Will attempt key: /home/basin/.ssh/zzz-basi01.id_rsa.disabled  explicit
    ...
    debug1: Offering public key: /home/basin/.ssh/id_rsa RSA xxxxx agent
    ...
    debug1: Server accepts key: /home/basin/.ssh/id_rsa RSA xxxx agent


The workaround is to disable agent usage with `IdentityAgent none`.

However, I expect ssh to try the identities from agent and files in the mixed manner, explicit first.
Comment 1 Darren Tucker 2019-02-18 21:35:11 AEDT 
I think IdentiesOnly does what you want:

IdentitiesOnly
       Specifies that ssh(1) should only use the authentication identity
       and certificate files explicitly configured in the ssh_config
       files or passed on the ssh(1) command-line, even if ssh-agent(1)
       or a PKCS11Provider offers more identities.  The argument to this
       keyword must be yes or no (the default).  This option is intended
       for situations where ssh-agent offers many different identities.
Comment 2 Ilya Basin 2019-02-20 05:29:53 AEDT 
Even with IdentitiesOnly=yes among explicitly listed keys agent keys take precedence, regardless of the order in the command line:

	ssh -vvv -oIdentitiesOnly=yes -oBatchMode=yes -i ~/.ssh/zzz-test2.id_rsa -i ~/.ssh/id_rsa localhost date
	...
	debug1: Will attempt key: /home/il/.ssh/id_rsa RSA xxx explicit agent
	debug1: Will attempt key: /home/il/.ssh/zzz-test2.id_rsa RSA xxx explicit

I still think it is natural to expect that `ssh -i identity_file` will first try the identity_file without the need to specify additional options.
Comment 3 Damien Miller 2019-02-22 14:51:10 AEDT 
This is deliberate - agent keys are always preferred because they will typically not require the user enter a passphrase, whereas keys on the filesystem are far more likely to.

IMO this gives the best experience for the majority of users.
Comment 4 Damien Miller 2021-04-23 15:04:35 AEST 
closing resolved bugs as of 8.6p1 release