Oddness with agent forwarding and -i
Jefferson Ogata
Jefferson.Ogata at noaa.gov
Sat May 22 02:26:22 EST 2004
Markus Friedl wrote:
> On Thu, May 20, 2004 at 03:38:12PM -0700, Thomas Baden wrote:
>>--- Jefferson Ogata <Jefferson.Ogata at noaa.gov> wrote:
>>>I can't comment on whether this is really intended
>>>behavior, but you can easily
>>>work around it by unsetting SSH_AUTH_SOCK before you
>>>run ssh:
>>>
>>>SSH_AUTH_SOCK= ssh -i foo...
>>
>>Thanks a bunch; that seems to have done the trick.
>>I'm still curious to know whether the agent should be
>>taking precedence over the -i command-line option,
>>though.
>
> because -i might require passphrases.
If a key in agent is more accessible than the key named with -i, the user would
presumably simply refrain from passing -i.
The current behavior is weird because if you have a key with a specific command=
setting and a generic shell key, agent may authenticate with the generic key
even though you set -i. There is an option to ignore agent keys, or you can just
unset SSH_AUTH_SOCK as I noted earlier, but I think it's counter-intuitive that
a key explicitly specified with -i isn't at least tried ahead of anything in agent.
--
Jefferson Ogata <Jefferson.Ogata at noaa.gov>
NOAA Computer Incident Response Team (N-CIRT) <ncirt at noaa.gov>
More information about the openssh-unix-dev
mailing list