[Bug 2066] ssh tries the keys proposed by the agent before those passed with -i

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Fri Feb 8 11:33:35 EST 2013


https://bugzilla.mindrot.org/show_bug.cgi?id=2066

--- Comment #4 from Paul Wise <pabs3 at bonedaddy.net> ---
There are two keys:

One is password-protected. This key is listed in the Hosts *
IdentityFile in ~/.ssh/config and added to the ssh-agent with ssh-add
-c, meaning it requires confirmation before use. 

The other is not password-protected. It is not added to the ssh-agent.
Its use is command-limited on the server side to pulling from git
repositories:

command="/usr/bin/git-upload-pack ${SSH_ORIGINAL_COMMAND#*
}",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty
ssh-rsa ...

In order to use the passwordless key for git pull but not git push, I
set GIT_SSH to a script that does this instead when connecting to a
host that supports my passwordless key:

unset SSH_AUTH_SOCK <--- This part is a workaround for this bug (2066)
ssh -o 'ControlMaster auto' -o 'ControlPath
~/.ssh/git-control-%l->%r@%h:%p' -i ~/.ssh/my-git-key "$@"

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.


More information about the openssh-bugs mailing list