Hey everyone, I hope this isn't an old issue; I wasn't able to locate it in the archives. I have a number of scripts which make use of ssh -i and scp -i, where the target host has the specified key in its authorized_keys file with a commandoverride to do immediate processing of the received data. This works extremely well, as we are able to establish single-function, triggered-action RSA keys to toss data from host to host. Unfortunately, when invoked with a forwarding agent present, the agent gets to pass its key(s) before the key presented on the command line, which causes all the magic to break. I've tried echoing the debug output, and it confirms that the agent does indeed get first crack at authenticating the connection. Is this expected behaviour, or should the presence of -i on the command line take precedence over the agent? Cheers, -Thomas __________________________________ Do you Yahoo!? Yahoo! Movies - Buy advance tickets for 'Shrek 2' http://movies.yahoo.com/showtimes/movie?mid=1808405861
Thomas Baden wrote:> I have a number of scripts which make use of ssh -i > and scp -i, where the target host has the specified > key in its authorized_keys file with a command> override to do immediate processing of the received > data. This works extremely well, as we are able to > establish single-function, triggered-action RSA keys > to toss data from host to host. > > Unfortunately, when invoked with a forwarding agent > present, the agent gets to pass its key(s) before the > key presented on the command line, which causes all > the magic to break. I've tried echoing the debug > output, and it confirms that the agent does indeed get > first crack at authenticating the connection.I can't comment on whether this is really intended behavior, but you can easily work around it by unsetting SSH_AUTH_SOCK before you run ssh: SSH_AUTH_SOCK= ssh -i foo... -- Jefferson Ogata <Jefferson.Ogata at noaa.gov> NOAA Computer Incident Response Team (N-CIRT) <ncirt at noaa.gov>
Thomas Baden wrote:> Is this expected behaviour, or should the presence of > -i on the command line take precedence over the agent?You can use the IdentitiesOnly option (on the commandline or in ssh_config) to ignore keys from the agent. -d
Did you test OpenSSH 3.8.1x ssh flag IdentitiesOnly ? Please see ssh_config(5) man page for the option IdentitiesOnly. Sample ~/.ssh/config: ======================================Host host1 IdentitiesOnly yes IdentityFile ~/.ssh/id1 Host host2 IdentitiesOnly yes IdentityFile ~/.ssh/id2 ======================================Note with config lake above you can skip -i flag. For versions before 3.8.1x I suggest workaround: 1.) for one ssh command in interactive mode as example: $ ssh-agent scp -i ... 2.) for many ssh commands start new shell in interactive mode as follow: $ ssh-agent /bin/sh ... enter commands ... $ CTRL+D 3.) if you use shell script run it as follow: $ ssh-agent myscript.sh Enjoy ;-) Thomas Baden wrote:>Hey everyone, > >I hope this isn't an old issue; I wasn't able to >locate it in the archives. > >I have a number of scripts which make use of ssh -i >and scp -i, where the target host has the specified >key in its authorized_keys file with a command>override to do immediate processing of the received >data. This works extremely well, as we are able to >establish single-function, triggered-action RSA keys >to toss data from host to host. > >Unfortunately, when invoked with a forwarding agent >present, the agent gets to pass its key(s) before the >key presented on the command line, which causes all >the magic to break. I've tried echoing the debug >output, and it confirms that the agent does indeed get >first crack at authenticating the connection. > >Is this expected behaviour, or should the presence of >-i on the command line take precedence over the agent? > >Cheers, >-Thomas > >
Possibly Parallel Threads
- [Bug 2066] New: ssh tries the keys proposed by the agent before those passed with -i
- i cannot find kinit
- CISCO 30 VIP phone / 12 SP+ Connection does not free up
- [Bug 2024] New: Allow to ssh client say to ssh-agent which key should be used.
- ssh-agent and IdentityFile