bugzilla-daemon at mindrot.org
2013-Jan-29 01:30 UTC
[Bug 2066] New: ssh tries the keys proposed by the agent before those passed with -i
https://bugzilla.mindrot.org/show_bug.cgi?id=2066 Bug ID: 2066 Summary: ssh tries the keys proposed by the agent before those passed with -i Classification: Unclassified Product: Portable OpenSSH Version: 6.0p1 Hardware: All OS: Linux Status: NEW Severity: normal Priority: P5 Component: ssh Assignee: unassigned-bugs at mindrot.org Reporter: pabs3 at bonedaddy.net When I have IdentityFile set in ~/.ssh/config and multiple ssh keys added to my ssh-agent, ssh -i ... or ssh -o 'IdentityFile ....' tries keys from the ssh-agent before the keys I specified on the command-line. The key I passed on the command-line is a passwordless key that is command-limited on the remote end (limited to running git-upload-pack so I can git clone/fetch over ssh without a passphrase). One of the other keys in my ssh-agent is a password-protected, confirmation requiring key that is not-command-limited on the remote end. For now I'm working around this by unsetting SSH_AUTH_SOCK whenever I want to use the passwordless command-limited key. There is another use-case listed in this Debian bug: http://bugs.debian.org/513235 -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2013-Jan-29 01:36 UTC
[Bug 2066] ssh tries the keys proposed by the agent before those passed with -i
https://bugzilla.mindrot.org/show_bug.cgi?id=2066 Darren Tucker <dtucker at zip.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dtucker at zip.com.au --- Comment #1 from Darren Tucker <dtucker at zip.com.au> --- Does the IdentitiesOnly option not do what you want? From ssh_config(5): IdentitiesOnly Specifies that ssh(1) should only use the authentication identity files configured in the ssh_config files, even if ssh-agent(1) offers more identities. The argument to this keyword must be ?yes? or ?no?. This option is intended for situations where ssh- agent offers many different identities. The default is ?no?. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2013-Jan-29 01:55 UTC
[Bug 2066] ssh tries the keys proposed by the agent before those passed with -i
https://bugzilla.mindrot.org/show_bug.cgi?id=2066 --- Comment #2 from Paul Wise <pabs3 at bonedaddy.net> --- In my case the password-protected key in ssh-agent is also the key referred to by IdentityFile, so IdentitiesOnly on the command-line nor in the config file isn't going to help here. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2013-Feb-08 00:10 UTC
[Bug 2066] ssh tries the keys proposed by the agent before those passed with -i
https://bugzilla.mindrot.org/show_bug.cgi?id=2066 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |djm at mindrot.org --- Comment #3 from Damien Miller <djm at mindrot.org> --- I'm not understanding your setup properly here. Could you explain it in a little detail? Are you saying that you have a password-protected, confirm-requiring key in the agent and also laying around passwordless on the filesystem? That seems ... self-defeating. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2013-Feb-08 00:33 UTC
[Bug 2066] ssh tries the keys proposed by the agent before those passed with -i
https://bugzilla.mindrot.org/show_bug.cgi?id=2066 --- Comment #4 from Paul Wise <pabs3 at bonedaddy.net> --- There are two keys: One is password-protected. This key is listed in the Hosts * IdentityFile in ~/.ssh/config and added to the ssh-agent with ssh-add -c, meaning it requires confirmation before use. The other is not password-protected. It is not added to the ssh-agent. Its use is command-limited on the server side to pulling from git repositories: command="/usr/bin/git-upload-pack ${SSH_ORIGINAL_COMMAND#* }",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa ... In order to use the passwordless key for git pull but not git push, I set GIT_SSH to a script that does this instead when connecting to a host that supports my passwordless key: unset SSH_AUTH_SOCK <--- This part is a workaround for this bug (2066) ssh -o 'ControlMaster auto' -o 'ControlPath ~/.ssh/git-control-%l->%r@%h:%p' -i ~/.ssh/my-git-key "$@" -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2013-Feb-08 01:05 UTC
[Bug 2066] ssh tries the keys proposed by the agent before those passed with -i
https://bugzilla.mindrot.org/show_bug.cgi?id=2066 --- Comment #5 from Darren Tucker <dtucker at zip.com.au> --- (In reply to comment #4) [...]> unset SSH_AUTH_SOCK <--- This part is a workaround for this bug > (2066) > ssh -o 'ControlMaster auto' -o 'ControlPath > ~/.ssh/git-control-%l->%r@%h:%p' -i ~/.ssh/my-git-key "$@"what happens if you remove the "unset" line and add "-o IdentitiesOnly=yes" to the command line? -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2013-Feb-08 01:09 UTC
[Bug 2066] ssh tries the keys proposed by the agent before those passed with -i
https://bugzilla.mindrot.org/show_bug.cgi?id=2066 --- Comment #6 from Darren Tucker <dtucker at zip.com.au> --- Also, could you please attach (using "Add as an attachment") the output from ssh -vvv in each of the two cases you're describing? -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2013-Mar-24 12:11 UTC
[Bug 2066] ssh tries the keys proposed by the agent before those passed with -i
https://bugzilla.mindrot.org/show_bug.cgi?id=2066 Jaap Eldering <eldering at a-eskwadraat.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |eldering at a-eskwadraat.nl --- Comment #7 from Jaap Eldering <eldering at a-eskwadraat.nl> --- I have the same issue, related to using gitolite to access Git repositories over SSH, see http://superuser.com/questions/570356/how-to-override-ssh-default-identity for a detailed description. I'm running the same OpenSSH client version: Debian 6.0p1-4. I have two keys that are accepted by the server: ~/.ssh/id_rsa and ~/.ssh/id_rsa_git, but I want to use the latter and I have set up the following in ~/.ssh/config: Host git Hostname router User gitolite ForwardX11 no ForwardAgent no GSSAPIAuthentication no IdentitiesOnly yes IdentityFile ~/.ssh/id_rsa_git When my key ~/.ssh/id_rsa is loaded in ssh-agent it is offered first (and accepted), while if I remove it from the agent, then ~/.ssh/id_rsa_git is offered and accepted. Specifying any of the additional options IdentitiesOnly=yes or -i ~/.ssh/id_rsa_git does not change the behaviour in either case. A related comment: in the documentation I cannot find whether it is possible to override the default IdentityFile's, nor if/how the order of specifying these influences the order in which the ssh client offers them. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2013-May-10 04:31 UTC
[Bug 2066] ssh tries the keys proposed by the agent before those passed with -i
https://bugzilla.mindrot.org/show_bug.cgi?id=2066 --- Comment #8 from Damien Miller <djm at mindrot.org> --- Please try to reproduce this using openssh-6.2p1 with IdentitiesOnly=yes set and verbose output turned on ("ssh -vvv ..."). We can't debug this without this information. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2013-May-10 20:06 UTC
[Bug 2066] ssh tries the keys proposed by the agent before those passed with -i
https://bugzilla.mindrot.org/show_bug.cgi?id=2066 --- Comment #9 from Jaap Eldering <eldering at a-eskwadraat.nl> --- I found that my reported problems were due to my own configuration errors. I had the following lines in my ~/.ssh/config: Host * IdentityFile ~/.ssh/id_dsa IdentityFile ~/.ssh/id_rsa Removing these made ssh connect with the expected keys, both for the current Debian Wheezy version 6.0p1 and version 6.2p1 installed from original sources. I'm sorry for the noise. Jaap -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2013-May-10 20:28 UTC
[Bug 2066] ssh tries the keys proposed by the agent before those passed with -i
https://bugzilla.mindrot.org/show_bug.cgi?id=2066 --- Comment #10 from Jaap Eldering <eldering at a-eskwadraat.nl> --- Created attachment 2260 --> https://bugzilla.mindrot.org/attachment.cgi?id=2260&action=edit Log of SSH without agent running. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2013-May-10 20:31 UTC
[Bug 2066] ssh tries the keys proposed by the agent before those passed with -i
https://bugzilla.mindrot.org/show_bug.cgi?id=2066 --- Comment #11 from Jaap Eldering <eldering at a-eskwadraat.nl> --- Sorry for replying again, but on second check there does seem to be a bug, even after removing the IdentityFile lines from the 'Host *' config. I'll attach the output of 'ssh -vvv git' in three different scenario's: - without ssh-agent running: connect using correct key - with ssh-agent and default ~/.ssh/id_{rsa,dsa} keys loaded: ~/.ssh/id_rsa is incorrectly used - with ssh-agent but ~/.ssh/id_rsa key removed from agent: connect using correct key Also attached a stripped-down version of my client config, exactly the version as used. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2013-May-10 20:31 UTC
[Bug 2066] ssh tries the keys proposed by the agent before those passed with -i
https://bugzilla.mindrot.org/show_bug.cgi?id=2066 --- Comment #12 from Jaap Eldering <eldering at a-eskwadraat.nl> --- Created attachment 2261 --> https://bugzilla.mindrot.org/attachment.cgi?id=2261&action=edit Log of SSH with ssh-agent and default keys loaded. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2013-May-10 20:32 UTC
[Bug 2066] ssh tries the keys proposed by the agent before those passed with -i
https://bugzilla.mindrot.org/show_bug.cgi?id=2066 --- Comment #13 from Jaap Eldering <eldering at a-eskwadraat.nl> --- Created attachment 2262 --> https://bugzilla.mindrot.org/attachment.cgi?id=2262&action=edit Log of SSH with ssh-agent and id_rsa removed. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2013-May-10 20:33 UTC
[Bug 2066] ssh tries the keys proposed by the agent before those passed with -i
https://bugzilla.mindrot.org/show_bug.cgi?id=2066 --- Comment #14 from Jaap Eldering <eldering at a-eskwadraat.nl> --- Created attachment 2263 --> https://bugzilla.mindrot.org/attachment.cgi?id=2263&action=edit ssh-config used -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2013-Jul-18 04:34 UTC
[Bug 2066] ssh tries the keys proposed by the agent before those passed with -i
https://bugzilla.mindrot.org/show_bug.cgi?id=2066 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |WORKSFORME --- Comment #15 from Damien Miller <djm at mindrot.org> --- Your config doesn't have IdentitiesOnly set for the "Host git" case, so it is trying other keys from the agent. A bug isn't the best place to diagnose your config. Feel free to discuss further on the openssh-unix-dev mailing list, but I'll close this bug. If the discussions shows evidence of an error in IdentityFile or IdentitiesOnly then we can reopen the bug. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2015-Aug-11 13:05 UTC
[Bug 2066] ssh tries the keys proposed by the agent before those passed with -i
https://bugzilla.mindrot.org/show_bug.cgi?id=2066 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #16 from Damien Miller <djm at mindrot.org> --- Set all RESOLVED bugs to CLOSED with release of OpenSSH 7.1 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
Apparently Analagous Threads
- [Bug 2024] New: Allow to ssh client say to ssh-agent which key should be used.
- include directive doesn''t expand parameters?
- IdentityFile vs IdentitiesOnly
- [Bug 3153] New: Prefer user specified keys to avoid the agent overloading MaxAuthTries before even trying the key that was specified
- [Bug 3080] New: Document IdentityFile=none and clarify interaction of defaults with IdentitiesOnly