openssh bugs - Jan 2013 - [Bug 2066] New: ssh tries the keys proposed by the agent before those passed with -i

https://bugzilla.mindrot.org/show_bug.cgi?id=2066

            Bug ID: 2066
           Summary: ssh tries the keys proposed by the agent before those
                    passed with -i
    Classification: Unclassified
           Product: Portable OpenSSH
           Version: 6.0p1
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: pabs3 at bonedaddy.net

When I have IdentityFile set in ~/.ssh/config and multiple ssh keys
added to my ssh-agent, ssh -i ... or ssh -o 'IdentityFile ....' tries
keys from the ssh-agent before the keys I specified on the
command-line. The key I passed on the command-line is a passwordless
key that is command-limited on the remote end (limited to running
git-upload-pack so I can git clone/fetch over ssh without a
passphrase). One of the other keys in my ssh-agent is a
password-protected, confirmation requiring key that is
not-command-limited on the remote end. For now I'm working around this
by unsetting SSH_AUTH_SOCK whenever I want to use the passwordless
command-limited key.

There is another use-case listed in this Debian bug:
http://bugs.debian.org/513235

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2066

Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at zip.com.au

--- Comment #1 from Darren Tucker <dtucker at zip.com.au> ---
Does the IdentitiesOnly option not do what you want?  From
ssh_config(5):

IdentitiesOnly
    Specifies that ssh(1) should only use the authentication identity
    files configured in the ssh_config files, even if ssh-agent(1)
    offers more identities.  The argument to this keyword must be
    ?yes? or ?no?.  This option is intended for situations where ssh-
     agent offers many different identities.  The default is ?no?.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2066

--- Comment #2 from Paul Wise <pabs3 at bonedaddy.net> ---
In my case the password-protected key in ssh-agent is also the key
referred to by IdentityFile, so IdentitiesOnly on the command-line nor
in the config file isn't going to help here.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2066

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org

--- Comment #3 from Damien Miller <djm at mindrot.org> ---
I'm not understanding your setup properly here. Could you explain it in
a little detail?

Are you saying that you have a password-protected, confirm-requiring
key in the agent and also laying around passwordless on the filesystem?
That seems ... self-defeating.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2066

--- Comment #4 from Paul Wise <pabs3 at bonedaddy.net> ---
There are two keys:

One is password-protected. This key is listed in the Hosts *
IdentityFile in ~/.ssh/config and added to the ssh-agent with ssh-add
-c, meaning it requires confirmation before use. 

The other is not password-protected. It is not added to the ssh-agent.
Its use is command-limited on the server side to pulling from git
repositories:

command="/usr/bin/git-upload-pack ${SSH_ORIGINAL_COMMAND#*
}",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty
ssh-rsa ...

In order to use the passwordless key for git pull but not git push, I
set GIT_SSH to a script that does this instead when connecting to a
host that supports my passwordless key:

unset SSH_AUTH_SOCK <--- This part is a workaround for this bug (2066)
ssh -o 'ControlMaster auto' -o 'ControlPath
~/.ssh/git-control-%l->%r@%h:%p' -i ~/.ssh/my-git-key "$@"

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2066

--- Comment #5 from Darren Tucker <dtucker at zip.com.au> ---
(In reply to comment #4)
[...] 
> unset SSH_AUTH_SOCK <--- This part is a workaround for this bug
> (2066)
> ssh -o 'ControlMaster auto' -o 'ControlPath
> ~/.ssh/git-control-%l->%r@%h:%p' -i ~/.ssh/my-git-key "$@"
what happens if you remove the "unset" line and add "-o
IdentitiesOnly=yes" to the command line?

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2066

--- Comment #6 from Darren Tucker <dtucker at zip.com.au> ---
Also, could you please attach (using "Add as an attachment") the
output
from ssh -vvv in each of the two cases you're describing?

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2066

Jaap Eldering <eldering at a-eskwadraat.nl> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |eldering at a-eskwadraat.nl

--- Comment #7 from Jaap Eldering <eldering at a-eskwadraat.nl> ---
I have the same issue, related to using gitolite to access Git
repositories over SSH, see
http://superuser.com/questions/570356/how-to-override-ssh-default-identity
for a detailed description.

I'm running the same OpenSSH client version: Debian 6.0p1-4.

I have two keys that are accepted by the server: ~/.ssh/id_rsa and
~/.ssh/id_rsa_git, but I want to use the latter and I have set up the
following in ~/.ssh/config:

Host git
        Hostname router
        User gitolite
        ForwardX11 no
        ForwardAgent no
        GSSAPIAuthentication no
        IdentitiesOnly yes
        IdentityFile ~/.ssh/id_rsa_git

When my key ~/.ssh/id_rsa is loaded in ssh-agent it is offered first
(and accepted), while if I remove it from the agent, then
~/.ssh/id_rsa_git is offered and accepted. Specifying any of the
additional options IdentitiesOnly=yes or -i ~/.ssh/id_rsa_git does not
change the behaviour in either case.

A related comment: in the documentation I cannot find whether it is
possible to override the default IdentityFile's, nor if/how the order
of specifying these influences the order in which the ssh client offers
them.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2066

--- Comment #8 from Damien Miller <djm at mindrot.org> ---
Please try to reproduce this using openssh-6.2p1 with
IdentitiesOnly=yes set and verbose output turned on ("ssh -vvv ...").
We can't debug this without this information.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2066

--- Comment #9 from Jaap Eldering <eldering at a-eskwadraat.nl> ---
I found that my reported problems were due to my own configuration
errors. I had the following lines in my ~/.ssh/config:

Host *
       IdentityFile ~/.ssh/id_dsa
       IdentityFile ~/.ssh/id_rsa

Removing these made ssh connect with the expected keys, both for the
current Debian Wheezy version 6.0p1 and version 6.2p1 installed from
original sources.

I'm sorry for the noise.

Jaap

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2066

--- Comment #10 from Jaap Eldering <eldering at a-eskwadraat.nl> ---
Created attachment 2260
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2260&action=edit
Log of SSH without agent running.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2066

--- Comment #11 from Jaap Eldering <eldering at a-eskwadraat.nl> ---
Sorry for replying again, but on second check there does seem to be a
bug, even after removing the IdentityFile lines from the 'Host *'
config.

I'll attach the output of 'ssh -vvv git' in three different
scenario's:
- without ssh-agent running: connect using correct key
- with ssh-agent and default ~/.ssh/id_{rsa,dsa} keys loaded:
~/.ssh/id_rsa is incorrectly used
- with ssh-agent but ~/.ssh/id_rsa key removed from agent: connect
using correct key

Also attached a stripped-down version of my client config, exactly the
version as used.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2066

--- Comment #12 from Jaap Eldering <eldering at a-eskwadraat.nl> ---
Created attachment 2261
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2261&action=edit
Log of SSH with ssh-agent and default keys loaded.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2066

--- Comment #13 from Jaap Eldering <eldering at a-eskwadraat.nl> ---
Created attachment 2262
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2262&action=edit
Log of SSH with ssh-agent and id_rsa removed.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2066

--- Comment #14 from Jaap Eldering <eldering at a-eskwadraat.nl> ---
Created attachment 2263
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2263&action=edit
ssh-config used

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2066

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |WORKSFORME

--- Comment #15 from Damien Miller <djm at mindrot.org> ---
Your config doesn't have IdentitiesOnly set for the "Host git"
case, so
it is trying other keys from the agent. 

A bug isn't the best place to diagnose your config. Feel free to
discuss further on the openssh-unix-dev mailing list, but I'll close
this bug. If the discussions shows evidence of an error in IdentityFile
or IdentitiesOnly then we can reopen the bug.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2066

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #16 from Damien Miller <djm at mindrot.org> ---
Set all RESOLVED bugs to CLOSED with release of OpenSSH 7.1

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.