raf
2020-Sep-30 08:08 UTC
How to use ssh -i with a key from ssh-agent rather than from a file?
On Wed, Sep 30, 2020 at 03:35:43PM +1000, Damien Miller <djm at mindrot.org> wrote:> On Wed, 30 Sep 2020, raf wrote: > > > Hi, > > > > I have a VM with a git repository whose origin is on > > github. I have several keys known to github, so I needed > > to set git's core.sshcommand config parameter in the > > repository to something like this: > > > > ssh -i ~/.ssh/id_ed25519_github2 > > > > But it meant that I needed to copy that key to the VM. > > The same key is available via my forwarded ssh-agent > > connection. Is it possible to tell ssh to use that > > instead of the key in a file? The documentation for the > > -i option only mentions files. > > ssh will read the public key (id_ed25519_github2.pub) to identify the key > before it tries to use the private key (id_ed25519_github2). If the private > key is available in the agent then it will never try to use the private key > file. > > Summary: copy id_ed25519_github2.pub to your VM and the above command will > work. > > -dHi Damien, Thanks. That's brilliant. It should get a mention in the manpage. I've attached a patch for ssh.1. However, I've just tried it and it didn't work for me. :-( $ git config core.sshcommand ssh -i ~/.ssh/id_ed25519_github2 $ ls -l ~/.ssh/id* -rw-r--r-- 1 raf raf 110 Dec 19 2019 /home/raf/.ssh/id_ed25519_github2.pub $ cat ~/.ssh/id_ed25519_github2.pub ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHrmJ0gYTmZlilDBB/BsyOHqOT354aDLWgULmMPXRkJK user at domain.com $ ssh-add -L ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHrmJ0gYTmZlilDBB/BsyOHqOT354aDLWgULmMPXRkJK user at domain.com [...] $ git pull Warning: Identity file /home/raf/.ssh/id_ed25519_aps_github not accessible: No such file or directory. ERROR: Repository not found. [...] $ ssh -V OpenSSH_7.4p1 Debian-10+deb9u7, OpenSSL 1.0.2u 20 Dec 2019 Perhaps this version of ssh is too old for this to work? Regards, Robert -------------- next part -------------- A non-text attachment was scrubbed... Name: ssh.1.patch Type: text/x-diff Size: 517 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20200930/d44ec270/attachment.bin>
Danishka Navin
2020-Sep-30 08:43 UTC
How to use ssh -i with a key from ssh-agent rather than from a file?
On Wed, Sep 30, 2020 at 1:40 PM raf <ssh at raf.org> wrote:> On Wed, Sep 30, 2020 at 03:35:43PM +1000, Damien Miller <djm at mindrot.org> > wrote: > > > On Wed, 30 Sep 2020, raf wrote: > > > > > Hi, > > > > > > I have a VM with a git repository whose origin is on > > > github. I have several keys known to github, so I needed > > > to set git's core.sshcommand config parameter in the > > > repository to something like this: > > > > > > ssh -i ~/.ssh/id_ed25519_github2 > > > > > > But it meant that I needed to copy that key to the VM. > > > The same key is available via my forwarded ssh-agent > > > connection. Is it possible to tell ssh to use that > > > instead of the key in a file? The documentation for the > > > -i option only mentions files. > > > > ssh will read the public key (id_ed25519_github2.pub) to identify the key > > before it tries to use the private key (id_ed25519_github2). If the > private > > key is available in the agent then it will never try to use the private > key > > file. > > > > Summary: copy id_ed25519_github2.pub to your VM and the above command > will > > work. > > > > -d > > Hi Damien, > > Thanks. That's brilliant. > It should get a mention in the manpage. > I've attached a patch for ssh.1. > > However, I've just tried it and it didn't work for me. :-( > > $ git config core.sshcommand > ssh -i ~/.ssh/id_ed25519_github2 > > $ ls -l ~/.ssh/id* > -rw-r--r-- 1 raf raf 110 Dec 19 2019 > /home/raf/.ssh/id_ed25519_github2.pub > > $ cat ~/.ssh/id_ed25519_github2.pub > ssh-ed25519 > AAAAC3NzaC1lZDI1NTE5AAAAIHrmJ0gYTmZlilDBB/BsyOHqOT354aDLWgULmMPXRkJK > user at domain.com > > $ ssh-add -L > ssh-ed25519 > AAAAC3NzaC1lZDI1NTE5AAAAIHrmJ0gYTmZlilDBB/BsyOHqOT354aDLWgULmMPXRkJK > user at domain.com > [...] > > $ git pull > Warning: Identity file /home/raf/.ssh/id_ed25519_aps_github not > accessible: No such file or directory. > ERROR: Repository not found. >>From where this id_ed25519_*aps*_githubfile coming?> > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >-- Danishka Navin
Damien Miller
2020-Sep-30 09:45 UTC
How to use ssh -i with a key from ssh-agent rather than from a file?
On Wed, 30 Sep 2020, raf wrote:> Thanks. That's brilliant. > It should get a mention in the manpage. > I've attached a patch for ssh.1. > > However, I've just tried it and it didn't work for me. :-( > > $ git config core.sshcommand > ssh -i ~/.ssh/id_ed25519_github2Personally, I find it easier to use ~/.ssh/config for this sort of configuration: Host github.com User git IdentityFile ~/.ssh/id_ed25519_github2 IdentitiesOnly yes # Don't use other keys in agent or on disk You can then also "ssh -vvv github.com true" to see what is going wrong. -d
raf
2020-Sep-30 23:26 UTC
How to use ssh -i with a key from ssh-agent rather than from a file?
On Wed, Sep 30, 2020 at 02:13:20PM +0530, Danishka Navin <danishka at gmail.com> wrote:> On Wed, Sep 30, 2020 at 1:40 PM raf <ssh at raf.org> wrote: > > > On Wed, Sep 30, 2020 at 03:35:43PM +1000, Damien Miller <djm at mindrot.org> > > wrote: > > > > > On Wed, 30 Sep 2020, raf wrote: > > > > > > > Hi, > > > > > > > > I have a VM with a git repository whose origin is on > > > > github. I have several keys known to github, so I needed > > > > to set git's core.sshcommand config parameter in the > > > > repository to something like this: > > > > > > > > ssh -i ~/.ssh/id_ed25519_github2 > > > > > > > > But it meant that I needed to copy that key to the VM. > > > > The same key is available via my forwarded ssh-agent > > > > connection. Is it possible to tell ssh to use that > > > > instead of the key in a file? The documentation for the > > > > -i option only mentions files. > > > > > > ssh will read the public key (id_ed25519_github2.pub) to identify the key > > > before it tries to use the private key (id_ed25519_github2). If the > > private > > > key is available in the agent then it will never try to use the private > > key > > > file. > > > > > > Summary: copy id_ed25519_github2.pub to your VM and the above command > > will > > > work. > > > > > > -d > > > > Hi Damien, > > > > Thanks. That's brilliant. > > It should get a mention in the manpage. > > I've attached a patch for ssh.1. > > > > However, I've just tried it and it didn't work for me. :-( > > > > $ git config core.sshcommand > > ssh -i ~/.ssh/id_ed25519_github2 > > > > $ ls -l ~/.ssh/id* > > -rw-r--r-- 1 raf raf 110 Dec 19 2019 > > /home/raf/.ssh/id_ed25519_github2.pub > > > > $ cat ~/.ssh/id_ed25519_github2.pub > > ssh-ed25519 > > AAAAC3NzaC1lZDI1NTE5AAAAIHrmJ0gYTmZlilDBB/BsyOHqOT354aDLWgULmMPXRkJK > > user at domain.com > > > > $ ssh-add -L > > ssh-ed25519 > > AAAAC3NzaC1lZDI1NTE5AAAAIHrmJ0gYTmZlilDBB/BsyOHqOT354aDLWgULmMPXRkJK > > user at domain.com > > [...] > > > > $ git pull > > Warning: Identity file /home/raf/.ssh/id_ed25519_aps_github not > > accessible: No such file or directory. > > ERROR: Repository not found. > > > > >From where this id_ed25519_*aps*_githubfile coming?Sorry, that's the real name of the key file. I missed changing it to match the other appearances. The point in using ...github2 was to indicate the fact that I have multiple keys in my agent that are known to github, and without telling ssh which one to use for a given git repository, ssh would try all the keys in some arbitrary(?) order and one of the others might be tried first and work, i.e. one of the keys that doesn't have write permission to the repository in question because it is for a different github account. This is probably only an issue when you have multiple working keys for a server, but only one of them will get you what you actually need after the original authentication has taken place. Github is probably a special case because all accounts use the same ssh username "git". cheers, raf
raf
2020-Sep-30 23:58 UTC
How to use ssh -i with a key from ssh-agent rather than from a file?
On Wed, Sep 30, 2020 at 07:45:20PM +1000, Damien Miller <djm at mindrot.org> wrote:> On Wed, 30 Sep 2020, raf wrote: > > > Thanks. That's brilliant. > > It should get a mention in the manpage. > > I've attached a patch for ssh.1. > > > > However, I've just tried it and it didn't work for me. :-( > > > > $ git config core.sshcommand > > ssh -i ~/.ssh/id_ed25519_github2 > > Personally, I find it easier to use ~/.ssh/config for this sort of > configuration: > > Host github.com > User git > IdentityFile ~/.ssh/id_ed25519_github2 > IdentitiesOnly yes # Don't use other keys in agent or on disk > > You can then also "ssh -vvv github.com true" to see what is going wrong. > > -dI'd agree in general, but not in this instance. Since I have multiple github accounts and hence multiple keys for that user/server combination, each one leading to a different github account, I would also have to create a server name alias for each key, and put configurations for each of them in the config file. Just running a git config command per repository, and keeping the config with the repository, seems simpler to me. Also, I don't think that your example would actually solve my problem, which is the desire to get the key from the agent rather than from a file on disk. Your example above explicitly prevents ssh from using the agent with "IdentitiesOnly yes". Does this mean that your original suggestion doesn't work, even on later versions of ssh? New question: If I do create a key-specific hostname alias for each of my github accounts in the ~/.ssh/config file, can I do it in the config file that is where my private keys are (and will that config be forwarded to the VM), or would this config need to be local to the VM? I expect that config settings probably wouldn't be forwarded via the agent. If this config has to be local to the VM, I still don't know how to tell it to get the specified key from the agent. I suppose I can put up with having the private key in the VM. It's on a laptop where the private key is anyway. It's just that I had to delete it before exporting the VM to send to someone else. But I can put it back. But if anyone does implement your original suggestion, that would be great for anyone with multiple github accounts. An alternative would be to change IdentityFile to also accept a fingerprint/hash/keygrip, or add a new config parameter IdentityKey which takes a fingerprint/hash/keygrip argument to make it clear that the key could come from the agent (or an unspecified file). Just a thought. Thanks for your time and suggestions. cheers, raf