[Bug 3062] New: ssh client ignores IdentitesOnly=yes if the identity file isn't found

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Fri Aug 30 18:18:01 AEST 2019


https://bugzilla.mindrot.org/show_bug.cgi?id=3062

            Bug ID: 3062
           Summary: ssh client ignores IdentitesOnly=yes if the identity
                    file isn't found
           Product: Portable OpenSSH
           Version: 8.0p1
          Hardware: amd64
                OS: Linux
            Status: NEW
          Severity: major
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: kormat at gmail.com

This ssh command will use any key the client can find through it's
normal means (i.e. agent, and ~/.ssh/id_{algo}):

  ssh -F /dev/null -o IdentitiesOnly=yes -i
/something/that/doesnt/exist hostname

It will also ignore IdentitiesOnly=yes if no identity file is
specified:

  ssh -F /dev/null -o IdentitiesOnly=yes hostname

I've tested this with:
- OpenSSH_7.2p2
- OpenSSH_7.9p1
- OpenSSH_8.0p1

This contradicts the documentation, which states:
  Specifies that ssh(1) should only use the authentication identity and
  certificate files explicitly configured in the ssh_config files or
  passed on the ssh(1) command-line, even if ssh-agent(1) or a
  PKCS11Provider offers more identities.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list