[Bug 2970] New: explicit IdentityFile has lower priority than agent keys

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Mon Feb 18 20:35:53 AEDT 2019


https://bugzilla.mindrot.org/show_bug.cgi?id=2970

            Bug ID: 2970
           Summary: explicit IdentityFile has lower priority than agent
                    keys
           Product: Portable OpenSSH
           Version: 7.9p1
          Hardware: Other
                OS: Windows 7
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: basinilya at gmail.com

I need to offer a non-default ssh key when I access some git repos. In
my `~/.gitconfig` I have:

    [url "git at gh-org:privateorg/"]
            insteadOf = git at github.com:privateorg/

And in my `~/.ssh/config` I have:

    Host gh-org
            HostName github.com
            IdentityFile ~/.ssh/zzz-basi01.id_rsa.disabled

`.disabled` means it should not be added to the agent automatically so
I don't have too many keys in it (to address "Too many authentication
failures" on password-protected servers).

However, if the key is *not* added to the agent, when I try to connect,
ssh first tries the agent keys:

    debug1: Will attempt key: /home/basin/.ssh/id_rsa RSA xxxxx agent
    debug1: Will attempt key: funktestkey RSA xxxx agent
    debug1: Will attempt key:
/home/basin/.ssh/zzz-basi01.id_rsa.disabled  explicit
    ...
    debug1: Offering public key: /home/basin/.ssh/id_rsa RSA xxxxx
agent
    ...
    debug1: Server accepts key: /home/basin/.ssh/id_rsa RSA xxxx agent


The workaround is to disable agent usage with `IdentityAgent none`.

However, I expect ssh to try the identities from agent and files in the
mixed manner, explicit first.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list