openssh bugs - Oct 2019 - [Bug 3080] New: Document IdentityFile=none and clarify interaction of defaults with IdentitiesOnly

https://bugzilla.mindrot.org/show_bug.cgi?id=3080

            Bug ID: 3080
           Summary: Document IdentityFile=none and clarify interaction of
                    defaults with IdentitiesOnly
           Product: Portable OpenSSH
           Version: 8.0p1
          Hardware: Other
                OS: All
            Status: NEW
          Severity: normal
          Priority: P5
         Component: Documentation
          Assignee: unassigned-bugs at mindrot.org
          Reporter: openssh at nuclearsunshine.com

Currently the documentation for IdentitiesOnly states:

"Specifies that ssh(1) should only use the authentication identity and
certificate files explicitly configured in the ssh_config files or
passed on the ssh(1) command-line..."

This is inaccurate, as with no IdentityFile configuration in
/etc/ssh/ssh_config or ~/.ssh/config, the *default* IdentityFile value
(documented but not *explicitly configured* is used when IdentitiesOnly
is set.

This is compounded by the fact that the mechanism for setting
IdentityFile to empty (using the special "none" string) is not
documented (see https://bugzilla.mindrot.org/show_bug.cgi?id=2362).

I suggest the following fixes:

* Update the IdentityFile documentation to mention the "none" string.

* Change the IdentitiesOnly documentation to say that it will use the
*default* IdentityFile configuration if that parameter is not
explicitly configured (and draw specific attention to this, as it's
unlikely to be what the user wants if they specify IdentitiesOnly - I
suggest recommending the above IdentityFile setting).

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3080

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|NEW                         |RESOLVED
                 CC|                            |djm at mindrot.org

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
This was fixed last September in commit 7047d5afe3 and should be in
OpenSSH 8.2

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3080

osnuc <openssh at nuclearsunshine.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|FIXED                       |---
             Status|RESOLVED                    |REOPENED

--- Comment #2 from osnuc <openssh at nuclearsunshine.com> ---
Hi, thanks for the update on this.

As far as I can see, the special "none" string for IdentityFile still
remains undocumented. So as a minimum, can you please make the
following change:

* in the IdentityFile section, mention the special "none" value.

Additionally, a common use case for IdentitiesOnly is to set it to yes
globally, and then set IdentityFile for each host, with the intention
of *only* trying the explicitly configured key.

However, this will not have the desired effect, since OpenSSH will
still try (falling back on?) keys with standard names.

For this reason, it would be helpful to add the following:

* in the IdentitiesOnly section, mention also needing to set
IdentityFile to none if the user does not want to fall back on SSH keys
with standard names.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3080

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|REOPENED                    |RESOLVED

--- Comment #3 from Damien Miller <djm at mindrot.org> ---
https://github.com/openssh/openssh-portable/commit/fc77c8e352c0f44125425c05265e3a00c183d78a
mentions IdentityFile=none

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.