Bug 2970 - explicit IdentityFile has lower priority than agent keys
Summary: explicit IdentityFile has lower priority than agent keys
Status: CLOSED WONTFIX
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: ssh (show other bugs)
Version: 7.9p1
Hardware: Other Windows 7
: P5 enhancement
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-02-18 20:35 AEDT by Ilya Basin
Modified: 2021-04-23 15:04 AEST (History)
2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ilya Basin 2019-02-18 20:35:53 AEDT 
I need to offer a non-default ssh key when I access some git repos. In my `~/.gitconfig` I have:

    [url "git@gh-org:privateorg/"]
            insteadOf = git@github.com:privateorg/

And in my `~/.ssh/config` I have:

    Host gh-org
            HostName github.com
            IdentityFile ~/.ssh/zzz-basi01.id_rsa.disabled

`.disabled` means it should not be added to the agent automatically so I don't have too many keys in it (to address "Too many authentication failures" on password-protected servers).

However, if the key is *not* added to the agent, when I try to connect, ssh first tries the agent keys:

    debug1: Will attempt key: /home/basin/.ssh/id_rsa RSA xxxxx agent
    debug1: Will attempt key: funktestkey RSA xxxx agent
    debug1: Will attempt key: /home/basin/.ssh/zzz-basi01.id_rsa.disabled  explicit
    ...
    debug1: Offering public key: /home/basin/.ssh/id_rsa RSA xxxxx agent
    ...
    debug1: Server accepts key: /home/basin/.ssh/id_rsa RSA xxxx agent


The workaround is to disable agent usage with `IdentityAgent none`.

However, I expect ssh to try the identities from agent and files in the mixed manner, explicit first.
Comment 1 Darren Tucker 2019-02-18 21:35:11 AEDT 
I think IdentiesOnly does what you want:

IdentitiesOnly
       Specifies that ssh(1) should only use the authentication identity
       and certificate files explicitly configured in the ssh_config
       files or passed on the ssh(1) command-line, even if ssh-agent(1)
       or a PKCS11Provider offers more identities.  The argument to this
       keyword must be yes or no (the default).  This option is intended
       for situations where ssh-agent offers many different identities.
Comment 2 Ilya Basin 2019-02-20 05:29:53 AEDT 
Even with IdentitiesOnly=yes among explicitly listed keys agent keys take precedence, regardless of the order in the command line:

	ssh -vvv -oIdentitiesOnly=yes -oBatchMode=yes -i ~/.ssh/zzz-test2.id_rsa -i ~/.ssh/id_rsa localhost date
	...
	debug1: Will attempt key: /home/il/.ssh/id_rsa RSA xxx explicit agent
	debug1: Will attempt key: /home/il/.ssh/zzz-test2.id_rsa RSA xxx explicit

I still think it is natural to expect that `ssh -i identity_file` will first try the identity_file without the need to specify additional options.
Comment 3 Damien Miller 2019-02-22 14:51:10 AEDT 
This is deliberate - agent keys are always preferred because they will typically not require the user enter a passphrase, whereas keys on the filesystem are far more likely to.

IMO this gives the best experience for the majority of users.
Comment 4 Damien Miller 2021-04-23 15:04:35 AEST 
closing resolved bugs as of 8.6p1 release