openssh bugs - Feb 2019 - [Bug 2970] New: explicit IdentityFile has lower priority than agent keys

https://bugzilla.mindrot.org/show_bug.cgi?id=2970

            Bug ID: 2970
           Summary: explicit IdentityFile has lower priority than agent
                    keys
           Product: Portable OpenSSH
           Version: 7.9p1
          Hardware: Other
                OS: Windows 7
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: basinilya at gmail.com

I need to offer a non-default ssh key when I access some git repos. In
my `~/.gitconfig` I have:

    [url "git at gh-org:privateorg/"]
            insteadOf = git at github.com:privateorg/

And in my `~/.ssh/config` I have:

    Host gh-org
            HostName github.com
            IdentityFile ~/.ssh/zzz-basi01.id_rsa.disabled

`.disabled` means it should not be added to the agent automatically so
I don't have too many keys in it (to address "Too many authentication
failures" on password-protected servers).

However, if the key is *not* added to the agent, when I try to connect,
ssh first tries the agent keys:

    debug1: Will attempt key: /home/basin/.ssh/id_rsa RSA xxxxx agent
    debug1: Will attempt key: funktestkey RSA xxxx agent
    debug1: Will attempt key:
/home/basin/.ssh/zzz-basi01.id_rsa.disabled  explicit
    ...
    debug1: Offering public key: /home/basin/.ssh/id_rsa RSA xxxxx
agent
    ...
    debug1: Server accepts key: /home/basin/.ssh/id_rsa RSA xxxx agent


The workaround is to disable agent usage with `IdentityAgent none`.

However, I expect ssh to try the identities from agent and files in the
mixed manner, explicit first.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2970

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at dtucker.net

--- Comment #1 from Darren Tucker <dtucker at dtucker.net> ---
I think IdentiesOnly does what you want:

IdentitiesOnly
       Specifies that ssh(1) should only use the authentication
identity
       and certificate files explicitly configured in the ssh_config
       files or passed on the ssh(1) command-line, even if ssh-agent(1)
       or a PKCS11Provider offers more identities.  The argument to
this
       keyword must be yes or no (the default).  This option is
intended
       for situations where ssh-agent offers many different identities.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2970

--- Comment #2 from Ilya Basin <basinilya at gmail.com> ---
Even with IdentitiesOnly=yes among explicitly listed keys agent keys
take precedence, regardless of the order in the command line:

        ssh -vvv -oIdentitiesOnly=yes -oBatchMode=yes -i
~/.ssh/zzz-test2.id_rsa -i ~/.ssh/id_rsa localhost date
        ...
        debug1: Will attempt key: /home/il/.ssh/id_rsa RSA xxx explicit
agent
        debug1: Will attempt key: /home/il/.ssh/zzz-test2.id_rsa RSA
xxx explicit

I still think it is natural to expect that `ssh -i identity_file` will
first try the identity_file without the need to specify additional
options.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2970

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org

--- Comment #3 from Damien Miller <djm at mindrot.org> ---
This is deliberate - agent keys are always preferred because they will
typically not require the user enter a passphrase, whereas keys on the
filesystem are far more likely to.

IMO this gives the best experience for the majority of users.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2970

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |WONTFIX

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2970

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #4 from Damien Miller <djm at mindrot.org> ---
closing resolved bugs as of 8.6p1 release

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.