ssh-add won't look for id_dsa in ssh-clients-2.3.0p1-4 but did in ssh-clients-2.5.1p2-1

Jim Knoble jmknoble at
Sun Mar 4 17:45:18 EST 2001

Circa 2001-Mar-03 23:47:31 +0100 dixit Markus Friedl:

: On Thu, Mar 01, 2001 at 02:10:49PM -0800, Leigh L. Klotz, Jr. wrote:
: > Am I broken in some way
: > to expect ssh-add simply
: > to work with id_dsa without an explicit argument?
: no, you are not. but ssh-add did not add the keys before.
: should a default behaviour be changed?
: apart from that, i don't like 'ssh-add' having default
: arguments. people forget where the private keys can be
: found if 'ssh-add' acts 'smart'. keys should always be
: explicit since they are important. but i could be wrong.

This reminds me of something else (which actually does have a bearing
on this discussion; please remain calm):

When multiple IdentityFile lines occur in both /etc/ssh/ssh_config and
~/.ssh/config, ssh checks through *all* of the listed keys, even if the
ones in ~/.ssh/config repeat the ones in /etc/ssh/ssh_config.  Why is
this?  Is it a good idea?  I'm of the opinion that it's not.  What if i
as a regular user don't want any of the keys specified in
/etc/ssh/ssh_config to be checked for at all?

In fact, i would prefer to see the more-than-one-line type of
configuration option go away completely and be replaced by one-line
items with comma-separated values, such as the Ciphers and MACs items
already use.  For example, this:

  IdentityFile ~/.ssh/id_rsa
  IdentityFile ~/.ssh/id_dsa
  IdentityFile ~/.ssh/id_rsa1
  IdentityFile ~/.ssh/identity

would change to this:

  IdentityFile ~/.ssh/id_rsa,~/.ssh/id_dsa,~/.ssh/id_rsa1,~/.ssh/identity

Granted, that's perhaps not quite as legible, but the following SHOULD
(in the RFC sense) also parse the same way:

  IdentityFile	~/.ssh/id_rsa,

What this syntax does is solve the problem i allude to above and in
addition answer the question "Which key is the default key?":
obviously, the first one listed.

Then, ssh-add must simply check ~/.ssh/config and /etc/ssh/ssh_config
to find out what the default key is, and add that one if no key is
specified on the command line.

Simple, obvious, and flexible, no?

Don't know if LocalForward and RemoteForward also are in the
more-than-one-line category or not; if so, they should probably also
migrate to comma-separated syntax.

jim knoble | jmknoble at |

More information about the openssh-unix-dev mailing list