Hi, I run into a certain problem from time to time. 1. Configure and launch ssh-agent. 2. That's usually perfect. 3. Occasionally, connect to a different and less common remote server. Use ssh -i keyfile 4. ssh -i keyfile fails. Because ssh-agent doesn't know about that key. If you are specifying a key "-i key", then you are specifying a key, and clearly don't need to use the keys from ssh-agent. Could ssh prefer the key from the command line? Give that precedence, over using the ssh-agent keys? Many executables make choices based on multiple input parameters, with information from the command-line having the top priority. What is your opinion? Thanks, Sam
Hi Sam, On Mon, Sep 30, 2024 at 11:37:18 -0600, Sam Darwin wrote:> If you are specifying a key "-i key", then you are specifying a key, and > clearly don't need to use the keys from ssh-agent.The -i option is dual-use. From the man page:> Selects a file from which the identity (private key) for public key authentication is read.> You can also specify a public key file to use the corresponding > private key that is loaded in ssh-agent(1) when the private key file > is not present locally.I think you can also load certificates using the -i option and use the agent to generate the signature.> Could ssh prefer the key from the command line? Give that precedence, > over using the ssh-agent keys?The IdentitiesOnly option takes care of that. Or you could set up your ~/.ssh/config file with IdentitiesOnly + IdentityFile to specify the correct key for each server. J?rn
On Mon, 30 Sep 2024, Sam Darwin wrote:> Hi, > I run into a certain problem from time to time. > > 1. Configure and launch ssh-agent. > 2. That's usually perfect. > 3. Occasionally, connect to a different and less common remote server. > Use ssh -i keyfile > 4. ssh -i keyfile fails. Because ssh-agent doesn't know about that key. > > If you are specifying a key "-i key", then you are specifying a key, and > clearly don't need to use the keys from ssh-agent. Could ssh prefer the key > from the command line? Give that precedence, over using the ssh-agent keys?ssh should do this already. Please post a debug trace "ssh -vvv ..." and we'll be able to see what broke.
Apparently Analagous Threads
- [Bug 2066] New: ssh tries the keys proposed by the agent before those passed with -i
- [Bug 2024] New: Allow to ssh client say to ssh-agent which key should be used.
- Oddness with agent forwarding and -i
- ssh while ssh-agent is running
- [Bug 3153] New: Prefer user specified keys to avoid the agent overloading MaxAuthTries before even trying the key that was specified