2221 – Explicit identity files are being used after implicit files are attempted

Bug 2221 - Explicit identity files are being used after implicit files are attempted

Summary: Explicit identity files are being used after implicit files are attempted

Status:	CLOSED INVALID

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	ssh (show other bugs)
Version:	6.2p1
Hardware:	ix86 Linux

Importance:	P5 minor
Assignee:	Assigned to nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2014-04-05 07:14 AEDT by Michael Hall
Modified:	2015-08-11 23:04 AEST (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Hall 2014-04-05 07:14:18 AEDT

When explicitly setting an identity, either via the -i commandline parameter or IdentityFile in the ssh config, these files are used only after any other identity files found in ~/.ssh/ have failed pubkey authentication.

When the remote host limits the number of pubkey authentication failures before disconnecting, this can lead to a situation where the explicit identity file is not even used when connecting to that host.

Comment 1 Damien Miller 2014-04-05 09:10:46 AEDT

You need IdentitiesOnly=yes; from ssh_config(1):

  IdentitiesOnly
     Specifies that ssh(1) should only use the authentication identity
     files configured in the ssh_config files, even if ssh-agent(1) or
     a PKCS11Provider offers more identities.  The argument to this
     keyword must be “yes” or “no”.  This option is intended for situ‐
     ations where ssh-agent offers many different identities.  The
     default is “no”.

Comment 2 Damien Miller 2015-08-11 23:04:16 AEST

Set all RESOLVED bugs to CLOSED with release of OpenSSH 7.1