Is there any way to tell the openssh client exactly which identity to use for an outgoing commection? I know about "-i identityfile", but it doesn't do what I want. I want to precisely specify the identity to use, not just add an identity to a list of things to try. Whatever mechanism is used should work both for local files and for identities managed by ssh-agent. My ssh client has access to multiple identities (some from files, and some from ssh-agent), and more than one of the available identities would allow me to login to a target account, but different identities have different "command=" restrictions in the target account's .ssh/authorized_keys2 file. So I want to specify on the ssh command line exactly which identity to use; I don't want the client to do just keep trying multiple identities until one of them works, because then it may use an identity that has the wrong "command=" restrictions on the server side. --apb (Alan Barrett)
On Mon, Dec 05, 2005 at 03:18:49PM +0200, Alan Barrett wrote:> [...] So I want to specify on the ssh command > line exactly which identity to use; I don't want the client to do just > keep trying multiple identities until one of them works, because then it > may use an identity that has the wrong "command=" restrictions on the > server side.Does adding the "IdentitiesOnly" option do what you want? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Alan Barrett wrote:> On Tue, 06 Dec 2005, Damien Miller wrote: > >>>The identity that I want to use will sometimes be available from >>>ssh-agent, and not available in any readable files. >> >>Specify it as an IdentityFile in .ssh/config - ssh should try keys in >>the order in which they are listed, preferring ones in the agent if >>they are present. > > > How do I specify an "IdentityFile" that is not a file?Darren answered that:> You still need a readable copy of the *public* key file to authenticate > via a private key stored in ssh-agent.-d
On December 8, djm at mindrot.org said: > Alan Barrett wrote: > > > How do I specify an "IdentityFile" that is not a file? > > Darren answered that: > > > You still need a readable copy of the *public* key file to authenticate > > via a private key stored in ssh-agent. in particular, if you have a single identity stored in your agent, you can extract the public key into a file with ssh-add -L > ~/.ssh/high-priority-key.pub hth, --dkg
Reasonably Related Threads
- [Bug 2024] New: Allow to ssh client say to ssh-agent which key should be used.
- [Bug 2066] New: ssh tries the keys proposed by the agent before those passed with -i
- IdentityFile vs IdentitiesOnly
- [Bug 3080] New: Document IdentityFile=none and clarify interaction of defaults with IdentitiesOnly
- ssh-agent and IdentityFile