openssh bugs - Aug 2019 - [Bug 3062] New: ssh client ignores IdentitesOnly=yes if the identity file isn't found

https://bugzilla.mindrot.org/show_bug.cgi?id=3062

            Bug ID: 3062
           Summary: ssh client ignores IdentitesOnly=yes if the identity
                    file isn't found
           Product: Portable OpenSSH
           Version: 8.0p1
          Hardware: amd64
                OS: Linux
            Status: NEW
          Severity: major
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: kormat at gmail.com

This ssh command will use any key the client can find through it's
normal means (i.e. agent, and ~/.ssh/id_{algo}):

  ssh -F /dev/null -o IdentitiesOnly=yes -i
/something/that/doesnt/exist hostname

It will also ignore IdentitiesOnly=yes if no identity file is
specified:

  ssh -F /dev/null -o IdentitiesOnly=yes hostname

I've tested this with:
- OpenSSH_7.2p2
- OpenSSH_7.9p1
- OpenSSH_8.0p1

This contradicts the documentation, which states:
  Specifies that ssh(1) should only use the authentication identity and
  certificate files explicitly configured in the ssh_config files or
  passed on the ssh(1) command-line, even if ssh-agent(1) or a
  PKCS11Provider offers more identities.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3062

--- Comment #1 from Stephen Shirley <kormat at gmail.com> ---
Just discovered a workaround:

  ssh -F /dev/null -o IdentitiesOnly=yes -i
/something/that/doesnt/exist -i /dev/null hostname

This will cause ssh to fail with:

  Warning: Identity file /something/that/doesnt/exist not accessible:
No such file or directory.
  Load key "/dev/null": invalid format
  hostname: Permission denied (publickey).

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3062

Stephen Shirley <kormat at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |kormat at gmail.com

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3062

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
                 CC|                            |djm at mindrot.org
             Status|NEW                         |RESOLVED
             Blocks|                            |2988

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
Thanks, I've clarified the documentation in commit 7047d5afe.
IdentitiesOnly is intended mostly to limit which keys are tried from
ssh-agent.


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=2988
[Bug 2988] Tracking bug for 8.1 release
-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3062

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #3 from Damien Miller <djm at mindrot.org> ---
close bugs that were resolved in OpenSSH 8.5 release cycle

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.