There are cases when a user might have multiple keys in ssh-agent, but wants to use a specific one. Unless I'm mistaken, this is currently impossible. I've put together a proof of concept using the key's "filename" (the third column in the output of 'ssh-add -l') and it works. Is this a new feature that would be accepted? If so, should the key be identified with its "filename", or a fingerprint, or something else? What would be an appropriate option name? Does it make more sense to prevent loading the other keys at all, or to load them but not transmit the ones that don't match? -- Bitt Faulk
On Thursday 21 January 2016, William Faulk wrote:> There are cases when a user might have multiple keys in ssh-agent, > but wants to use a specific one. Unless I'm mistaken, this is > currently impossible.You can do that with option "IdentityFile", see "man ssh_config". Either specified with -o or IMO better in ~/.ssh/config like my example here: Host gcc?? gcc??? gcc*.fsffrance.org IdentityFile /home/rudi/.ssh/gccfarm_rudi_dsa IdentitiesOnly=yes PasswordAuthentication no Host * !gcc?? !gcc??? !gcc*.fsffrance.org IdentityFile /home/rudi/.ssh/id_ecdsa cu, Rudi
On Thu, Jan 21, 2016 at 2:50 AM, Ruediger Meier <sweet_f_a at gmx.de> wrote:> > You can do that with option "IdentityFile"IdentityFile currently only looks at a specific file on the filesystem. It doesn't modify what key is chosen from an agent. This does not work when your key doesn't exist on the local filesystem, such as when you're logged into a remote system and relying on ForwardAgent. -- Bitt Faulk
On 2016-01-21, Ruediger Meier <sweet_f_a at gmx.de> wrote:>> There are cases when a user might have multiple keys in ssh-agent, >> but wants to use a specific one. Unless I'm mistaken, this is >> currently impossible. > > You can do that with option "IdentityFile", see "man ssh_config".That assumes that the key files are locally available. If you are on host A and want to connect to B, it is perfectly possible to have keys in the agent that were added on another host C. -- Christian "naddy" Weisgerber naddy at mips.inka.de
William Faulk wrote:> There are cases when a user might have multiple keys in ssh-agent, but > wants to use a specific one. Unless I'm mistaken, this is currently > impossible. I've put together a proof of concept using the key's > "filename" (the third column in the output of 'ssh-add -l') and it > works.Is security one of the motivations for the change? In that case, the user interface needs to be agent-side. //Peter