openssh unix dev - Sep 2020 - How to use ssh -i with a key from ssh-agent rather than from a file?

Hi,

I have a VM with a git repository whose origin is on
github. I have several keys known to github, so I needed
to set git's core.sshcommand config parameter in the
repository to something like this:

  ssh -i ~/.ssh/id_ed25519_github2

But it meant that I needed to copy that key to the VM.
The same key is available via my forwarded ssh-agent
connection. Is it possible to tell ssh to use that
instead of the key in a file? The documentation for the
-i option only mentions files.

cheers,
raf

On Wed, 30 Sep 2020, raf wrote:
> Hi,
> 
> I have a VM with a git repository whose origin is on
> github. I have several keys known to github, so I needed
> to set git's core.sshcommand config parameter in the
> repository to something like this:
> 
>   ssh -i ~/.ssh/id_ed25519_github2
> 
> But it meant that I needed to copy that key to the VM.
> The same key is available via my forwarded ssh-agent
> connection. Is it possible to tell ssh to use that
> instead of the key in a file? The documentation for the
> -i option only mentions files.
ssh will read the public key (id_ed25519_github2.pub) to identify the key
before it tries to use the private key (id_ed25519_github2). If the private
key is available in the agent then it will never try to use the private key
file.

Summary: copy id_ed25519_github2.pub to your VM and the above command will
work.

-d

On Wed, Sep 30, 2020 at 03:35:43PM +1000, Damien Miller <djm at
mindrot.org> wrote:
> On Wed, 30 Sep 2020, raf wrote:
> 
> > Hi,
> > 
> > I have a VM with a git repository whose origin is on
> > github. I have several keys known to github, so I needed
> > to set git's core.sshcommand config parameter in the
> > repository to something like this:
> > 
> >   ssh -i ~/.ssh/id_ed25519_github2
> > 
> > But it meant that I needed to copy that key to the VM.
> > The same key is available via my forwarded ssh-agent
> > connection. Is it possible to tell ssh to use that
> > instead of the key in a file? The documentation for the
> > -i option only mentions files.
> 
> ssh will read the public key (id_ed25519_github2.pub) to identify the key
> before it tries to use the private key (id_ed25519_github2). If the private
> key is available in the agent then it will never try to use the private key
> file.
> 
> Summary: copy id_ed25519_github2.pub to your VM and the above command will
> work.
> 
> -d
Hi Damien,

Thanks. That's brilliant.
It should get a mention in the manpage.
I've attached a patch for ssh.1.

However, I've just tried it and it didn't work for me. :-(

  $ git config core.sshcommand
  ssh -i ~/.ssh/id_ed25519_github2

  $ ls -l ~/.ssh/id*
  -rw-r--r-- 1 raf raf 110 Dec 19  2019 /home/raf/.ssh/id_ed25519_github2.pub

  $ cat ~/.ssh/id_ed25519_github2.pub
  ssh-ed25519
AAAAC3NzaC1lZDI1NTE5AAAAIHrmJ0gYTmZlilDBB/BsyOHqOT354aDLWgULmMPXRkJK user at
domain.com

  $ ssh-add -L
  ssh-ed25519
AAAAC3NzaC1lZDI1NTE5AAAAIHrmJ0gYTmZlilDBB/BsyOHqOT354aDLWgULmMPXRkJK user at
domain.com
  [...]

  $ git pull
  Warning: Identity file /home/raf/.ssh/id_ed25519_aps_github not accessible: No
such file or directory.
  ERROR: Repository not found.
  [...]

  $ ssh -V
  OpenSSH_7.4p1 Debian-10+deb9u7, OpenSSL 1.0.2u  20 Dec 2019

Perhaps this version of ssh is too old for this to work?

Regards,
Robert

-------------- next part --------------
A non-text attachment was scrubbed...
Name: ssh.1.patch
Type: text/x-diff
Size: 517 bytes
Desc: not available
URL:
<http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20200930/d44ec270/attachment.bin>

I have sections in my .ssh/config (see below) to allow me to use several
different github accounts. The important part is having the .pub files
sitting there. You don't need the private key on the VM, just the public
key, and it will pick the correct private key from your agent. Then on the
git repo I do: git remote add origin githubu2:user/repo.git

Those sections:

Host githubu1
Tunnel no
ForwardAgent no
ForwardX11 no
HostName github.com
user git
IdentityFile ~/.ssh/githubu1.pub

Host githubu2
Tunnel no
ForwardAgent no
ForwardX11 no
HostName github.com
user git
IdentityFile ~/.ssh/githubu2.pub

Host githubu3
Tunnel no
ForwardAgent no
ForwardX11 no
HostName github.com
user git
IdentityFile ~/.ssh/githubu3.pub

--Gregory

On Wed, Sep 30, 2020 at 02:38:23PM +1000, raf wrote:
> Hi,
> 
> I have a VM with a git repository whose origin is on
> github. I have several keys known to github, so I needed
> to set git's core.sshcommand config parameter in the
> repository to something like this:
> 
>   ssh -i ~/.ssh/id_ed25519_github2
> 
> But it meant that I needed to copy that key to the VM.
> The same key is available via my forwarded ssh-agent
> connection. Is it possible to tell ssh to use that
> instead of the key in a file? The documentation for the
> -i option only mentions files.
> 
> cheers,
> raf
> 
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>

On Wed, Sep 30, 2020 at 03:28:01PM -0400, Gregory Seidman <gsslist+ssh at
anthropohedron.net> wrote:
> I have sections in my .ssh/config (see below) to allow me to use several
> different github accounts. The important part is having the .pub files
> sitting there. You don't need the private key on the VM, just the
public
> key, and it will pick the correct private key from your agent. Then on the
> git repo I do: git remote add origin githubu2:user/repo.git
> 
> Those sections:
> 
> Host githubu1
> Tunnel no
> ForwardAgent no
> ForwardX11 no
> HostName github.com
> user git
> IdentityFile ~/.ssh/githubu1.pub
> 
> Host githubu2
> Tunnel no
> ForwardAgent no
> ForwardX11 no
> HostName github.com
> user git
> IdentityFile ~/.ssh/githubu2.pub
> 
> Host githubu3
> Tunnel no
> ForwardAgent no
> ForwardX11 no
> HostName github.com
> user git
> IdentityFile ~/.ssh/githubu3.pub
> 
> --Gregory
Hi Gregory,

Thanks. That's great. I didn't realise that I could use
the name of the public key file with -i. The
documentation doesn't indicate that. In fact, it
explicitly states that the filename argument is for the
private key.

With this knowledge, the git config approach works just
as well:

  git config core.sshcommand 'ssh -i ~/.ssh/id_ed25519_github2.pub'

and the remote origin can stay as git at github.com and there's
no need to put repository-specific config in ssh's config.
I prefer that.

I've attached a new patch to ssh.1 that explains how to
do this.

Many thanks.

cheers,
raf

-------------- next part --------------
A non-text attachment was scrubbed...
Name: ssh.1.patch
Type: text/x-diff
Size: 524 bytes
Desc: not available
URL:
<http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20201001/a6e190eb/attachment.bin>