On Tue, 30 Nov 2021, Dirk-Willem van Gulik wrote:
> Is it just me - or does, since version 3.0.7, IdentitiesOnly no longer
include PKCS#11 keys ?
>
> With IdentitiesOnly set to yes - I see them getting picked up:
>
> debug2: pkcs11_fetch_keys: provider
/Library/OpenSC/lib/onepin-opensc-pkcs11.so slot 0: RSA SHA256:etcetc
> debug1: have 2 keys
>
> but not being offered. With IdentitiesOnly set to no (or without; the
default) - they get offered.
>
> Is that intentional ? Or what is the thinking behind this ?
Yes, intentional. This changed in OpenSSH 6.2, almost 9 years ago :)
> commit cb6b68b209d8868a94a30b1a634beb1a65cb5265
> Author: Damien Miller <djm at mindrot.org>
> Date: Mon Dec 3 09:49:52 2012 +1100
>
> - djm at cvs.openbsd.org 2012/12/02 20:26:11
> [ssh_config.5 sshconnect2.c]
> Make IdentitiesOnly apply to keys obtained from a PKCS11Provider.
> This allows control of which keys are offered from tokens using
> IdentityFile. ok markus@
The behaviour changed to fix a bug: IdentitiesOnly was not being applied
to PKCS#11 hosted keys, making it impossible to control which ones were
being offered to a server.
Since the change, you are able to filter PKCS#11 keys using IdentityFile
directives. To do this, you need to specify the public key rather than
the private. The same thing works for keys held in ssh-agent.
-d