Specification of identity for ssh client to use

Alan Barrett apb at cequrux.com
Thu Dec 8 22:10:02 EST 2005 

On Wed, 07 Dec 2005, Daniel Kahn Gillmor wrote:
> in particular, if you have a single identity stored in your agent, you can
> extract the public key into a file with
> 
>  ssh-add -L > ~/.ssh/high-priority-key.pub

Ah!  I think that solves my problem.  This does what I want (which is to
choose exactly one of the keys available from ssh-agent, use that key,
and disallow fallback to other keys or other authentication methods):

   ssh-add -L | grep "uniquestring" >desired-key.pub
   chmod 400 desired-key.pub
   ssh -o "PreferredAuthentications publickey" -o "IdentitiesOnly yes" \
	-i desired-key.pub user at host

See attached ssh-key-selection-demo.sh, which is intended
to be run under ssh-agent.

Also see the attached patch to the documentation, which previously
failed to explain that the file used with "-i" or "IdentityFile" could
contain a public key, and failed to explain that "IdentitiesOnly yes"
could still use keys available from the agent.

--apb (Alan Barrett)
-------------- next part --------------
#!/bin/sh
#
# ssh-key-selection-demo.sh
#
# Create an empty directory, put this script in the directory,
# cd to the directory, and run
#	ssh-agent sh -x ./ssh-key-selection-demo.sh
#
#

AUTHORIZED_KEYS="${HOME}/.ssh/authorized_keys"
DESIREDKEY="key2"

for n in 1 2 3 ; do
  # generate a key (unless it's already there from a previous run)
  test -f ./key${n} \
  || ssh-keygen -t rsa -b 2048 -N "" -C "This is key${n}" -f ./key${n}
  # ensure the files are readable
  chmod 400 ./key${n} ./key${n}.pub
  # add key to authorized_keys (unless it's already there)
  grep "key${n}" "${AUTHORIZED_KEYS}" >/dev/null \
  || printf 'from="localhost",command="/bin/echo %s" %s\n' \
	"You used key${n}" "$(cat ./key${n}.pub)" \
  	>>"${AUTHORIZED_KEYS}"
  # add the key to ssh-agent
  ssh-add ./key${n}
  # ensure files are unreadable
  chmod 0 ./key${n} ./key${n}.pub
done

# check what keys are available
ssh-add -l

# extract the desired key to a local file
rm -f desired-key.pub
ssh-add -L | grep "${DESIREDKEY}" >desired-key.pub
chmod 400 desired-key.pub

# Use the desired key.
#
# Because of the "PreferredAuthentications publickey" and
# "IdentitiesOnly yes", the client will not attempt to fall back to any other
# keys or password prompts.
#
# Because of the "command=" override in the ${AUTHORIZED_KEYS} file on
# the server side, it should print "You used ${DESIREDKEY}" instead of
# printing "hello".
#
ssh -o "PreferredAuthentications publickey" -o "IdentitiesOnly yes" \
	-i desired-key.pub localhost echo hello
-------------- next part --------------
Index: ssh.1
===================================================================
--- ssh.1	18 Sep 2005 18:27:28 -0000	1.33
+++ ssh.1	8 Dec 2005 11:01:15 -0000
@@ -561,8 +561,18 @@
 should use to communicate with a smartcard used for storing the user's
 private RSA key.
 .It Fl i Ar identity_file
-Selects a file from which the identity (private key) for
-RSA or DSA authentication is read.
+Specifies a file from which the identity (public key or private key) for
+RSA or DSA authentication can be read.
+If an authentication agent is in use (see
+.Xr ssh-agent 1 ) ,
+the
+.Ar identity_file
+may contain a private key or a public key,
+and the file will be used to influence the order in
+which the agent offers the keys under its control.
+If an authentication agent is not in use, the
+.Ar identity_file
+must contain a private key.
 The default is
 .Pa $HOME/.ssh/identity
 for protocol version 1, and
Index: ssh_config.5
===================================================================
--- ssh_config.5	23 Apr 2005 16:53:29 -0000	1.10
+++ ssh_config.5	8 Dec 2005 11:01:15 -0000
@@ -455,8 +455,18 @@
 .Cm HostName
 specifications).
 .It Cm IdentityFile
-Specifies a file from which the user's RSA or DSA authentication identity
-is read.
+Specifies a file from which the identity (public key or private key) for
+RSA or DSA authentication can be read.
+If an authentication agent is in use (see
+.Xr ssh-agent 1 ) ,
+the
+.Ar identity_file
+may contain a private key or a public key,
+and the file will be used to influence the order in
+which the agent offers the keys under its control.
+If an authentication agent is not in use, the
+.Ar identity_file
+must contain a private key.
 The default is
 .Pa $HOME/.ssh/identity
 for protocol version 1, and
@@ -476,14 +486,21 @@
 .Nm ssh
 should only use the authentication identity files configured in the
 .Nm
-files,
-even if the
+files or on the
+.Nm ssh
+command line,
+even if
 .Nm ssh-agent
 offers more identities.
 The argument to this keyword must be
 .Dq yes
 or
 .Dq no .
+Setting this option to
+.Dq yes
+does not disable the use of
+.Nm ssh-agent ,
+it merely restricts the set of keys that will be offered.
 This option is intented for situations where
 .Nm ssh-agent
 offers many different identities.

More information about the openssh-unix-dev mailing list