Bug 2024 - Allow to ssh client say to ssh-agent which key should be used.
Summary: Allow to ssh client say to ssh-agent which key should be used.
Status: CLOSED FIXED
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: ssh-agent (show other bugs)
Version: 6.0p1
Hardware: Other Linux
: P5 enhancement
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks: V_6_3
  Show dependency treegraph
 
Reported: 2012-07-06 18:57 AEST by Anton Chevychalov
Modified: 2016-08-02 10:42 AEST (History)
2 users (show)

See Also:

Attachments
Document interaction of IdentitiesOnly, IdentityFile and ssh-agent more explicitly (1.02 KB, patch)
2012-09-07 11:29 AEST, Damien Miller 		dtucker: ok+
Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Anton Chevychalov 2012-07-06 18:57:03 AEST 
There is no way to say ssh-agent which one of keys should be used. That's why it tries to use all of them in order and if you have more than 5 keys, you will receive "Too many authentication failures for".

It's bad and I have no idea how to workaround this problem without modification of source code.
Comment 1 Darren Tucker 2012-07-06 19:27:10 AEST 
Didn't IdentitiesOnly do what you want?  That plus IdentityFile should cause the client to only try the key specified by IdentityFile.

IdentitiesOnly
  Specifies that ssh(1) should only use the authentication identity
  files configured in the ssh_config files, even if ssh-agent(1)
  offers more identities.  The argument to this keyword must be
  "yes" or "no".  This option is intended for situations where ssh-
  agent offers many different identities.  The default is "no".

IdentityFile
  Specifies a file from which the user's RSA or DSA authentication
  identity is read.  The default is ~/.ssh/identity for protocol
  version 1, and ~/.ssh/id_rsa and ~/.ssh/id_dsa for protocol ver-
  sion 2.  Additionally, any identities represented by the authen-
  tication agent will be used for authentication.
Comment 2 Anton Chevychalov 2012-07-06 19:47:39 AEST 
As far as I understand parameters "-i" and "IdentityFile" can be used only for authentication without ssh-agent. It means when you say -i ~/.ssh/id_rsa it will try to find this on file system, not in ssh-agent.

I want to have something like -i but for case when my keys not on file system but in ssh-agent.
Comment 3 Darren Tucker 2012-07-06 20:00:39 AEST 
-i or IdentityFile will use a key from the agent if it has one with a matching fingerprint.  IdentitiesOnly will use only the identities specified by IdentityFile, and if the agent has it that's what will get used.  The man page doesn't really mention this, so maybe we should add something.
Comment 4 Anton Chevychalov 2012-07-06 20:32:21 AEST 
Оh. It's really nice! It means that everything I need is ssh-agent with previously imported keys and pub keys as a source of fingerprints. 

I think it should be mentioned in man pages just because a lot of people think it can't work. 

But why there is no search by key name? I mean that name is more simple that fingerprint and you can store this parameter in ssh_config.
Comment 5 Damien Miller 2012-09-07 11:29:53 AEST 
Created attachment 2186 [details]
Document interaction of IdentitiesOnly, IdentityFile and ssh-agent more explicitly
Comment 6 Damien Miller 2013-06-21 10:38:07 AEST 
patch applied - this will be in openssh-6.3
Comment 7 Damien Miller 2016-08-02 10:42:04 AEST 
Close all resolved bugs after 7.3p1 release