Hi, I noticed that the ssh -i <keyfile> option is "ignored" in my case: On my server, I have two keys in .ssh/authorized_keys: command="echo A" ssh-rsa A... # Key A command="echo B" ssh-rsa B... # Key B Suppose these keys are stored on my client as A{,.pub} and B{,.pub}. Now the following situation: $ ssh-add -L ssh-rsa A... $ ssh -i B server A As you can see, when A is loaded in ssh-agent but B isn't, the connection is made with key A even when B is specifically requested. I looked around the source and found a few hints here and there (readconf.c:add_identity_files(), sshconnect2.c:pubkey_prepare(), the "userprovided" tag in the Options struct...), but overall it's unclear to me what the semantics of "-i" is actually meant to be. What I always expected from "-i" was that only the keys given with -i are tried, or at least these keys are tried first, irrespective of whether or not they are loaded into ssh-agent. I tried this with the versions from current Debian jessie, and also compiled the developer version 8ef691 from 2015-03-11 and got the same behaviour. Many regards, Jens Stimpfle
On Sun, Mar 15, 2015 at 03:48:30PM +0100, Jens Stimpfle wrote:> I noticed that the ssh -i <keyfile> option is "ignored" in my case:[...]> As you can see, when A is loaded in ssh-agent but B isn't, the > connection is made with key A even when B is specifically requested.You didn't specify "only use B" IdentitiesOnly Specifies that ssh should only use the authentication identity files configured in the ssh_config files, even if the ssh-agent offers more identities. The argument to this keyword must be "yes" or "no". This option is intended for situations where ssh-agent offers many different identities. The default is "no". -- rgds Stephen
On 15/03/15 15:48, Jens Stimpfle wrote:> Hi, > > I noticed that the ssh -i<keyfile> option is "ignored" in my case: > > On my server, I have two keys in .ssh/authorized_keys: > > command="echo A" ssh-rsa A... # Key A > command="echo B" ssh-rsa B... # Key B > > Suppose these keys are stored on my client as A{,.pub} and B{,.pub}. Now > the following situation: > > $ ssh-add -L > ssh-rsa A... > $ ssh -i B server > A > > As you can see, when A is loaded in ssh-agent but B isn't, the > connection is made with key A even when B is specifically requested. > > I looked around the source and found a few hints here and there > (readconf.c:add_identity_files(), sshconnect2.c:pubkey_prepare(), the > "userprovided" tag in the Options struct...), but overall it's unclear > to me what the semantics of "-i" is actually meant to be. > > What I always expected from "-i" was that only the keys given with -i > are tried, or at least these keys are tried first, irrespective of > whether or not they are loaded into ssh-agent.ssh tries with the ssh-agent keys first, then with the one provided with -i As A is loaded and accepted, B is never tried. I have been bitten by that several times, too. Usually when having many keys in the agent, and trying to use a specific key, just to be rejected by attempting a login with too-many-keys. I usually prepend env -i to the ssh command, to disconnect it from the agent. Although as Stephen mentions, you can also solve it with -o IdentitiesOnly=yes. IMHO it should try -i keys first, and then the agent ones. But if the -i key is already in the agent, it would be preferable not to ask for its password again...