ssh-agent and IdentityFile

Tony Kay tony.kay at gmail.com
Wed Dec 14 09:52:38 EST 2011


I've noticed that the ssh-agent applies any keys it already has
passwords for (via ssh-add) first, overriding the ssh config files for
preferred identity file from .ssh/config and -i. This seems a
documented behavior.

However, this causes problems with some tool chains that use the
authorized_keys command directive to change behavior based on which
key is used.

In my case, I use gitolite for git repositories, and we have a number
of developers, each with different permissions. As the admin, I have
more than one SSH identity that gives me different permissions on the
server (again, through a command directive on authorized_keys on the
server).

So, my .ssh/config uses two different Host configs, so I can use the
alias hostname to get to the different access permissions:

Host=hostA
Hostname=repos.example.com
IdentityFile=usera

Host=hostAAdmin
Hostname=repos.example.com
IdentityFile=userb

Of course, these key files are password protected.

Once ssh-agent has the usera or userb key installed, it ignores the
config...meaning I have to do a lot of shuffling with ssh-add...and
I've lost the benefit of using ssh-agent at all...worse, now I'm
typing ssh-add -D, followed by ssh-add identity, followed by the
password again! I just end up killing ssh-agent and typing
passwords....unless I'm on OSX, which auto-starts ssh-agent every time
I use ssh.

This seems incorrect, since I would not have configured IdentityFile
if it didn't matter to me.

I would consider this a bug, though I know it is a documented
"feature"...which is why I'm writing here.

Please enlighten me.

Tony


More information about the openssh-unix-dev mailing list