Key preference

Josef Wolf jw at raven.inka.de
Fri Sep 20 22:51:53 EST 2013


Hello everybody,

I have a problem specifying identities with the -i option.

For easier ssh invocations, I have setup my ssh_config files with entries like
the following:

 Host *.domain.name
 Port 23457
 StrictHostKeyChecking yes
 UserKnownHostsFile    /dev/null
 GlobalKnownHostsFile  /etc/ssh/known-hosts/domain.name
 IdentityFile ~/.ssh/%h-dsa
 IdentityFile ~/.ssh/%h-rsa
 IdentityFile ~/.ssh/domain.name-dsa
 IdentityFile ~/.ssh/domain.name-rsa

In addition, I've set up a system similar to gitolite, which uses a dedicated
account with authorized_keys set up like this:

 command="/gitrepos/.server ab",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-dss pubkey-ab
 command="/gitrepos/.server cd",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-dss pubkey-cd

This way, the connecting user is identified by its public key. This setup
works fine so far. But when I try connecting with a _specific_ key using
the -i option (to represent a specific role in the git repository), I get this
strange result:

 $ ssh -vvv -i /home/jw/.ssh/specific-key gitrepos at git.domain.name
 debug1: identity file /home/jw/.ssh/specific-key type 1
 [ ... ]
 debug2: key: /home/jw/.ssh/some-key.domain.name (0xb8db08b0)
 debug2: key: /home/jw/.ssh/specific-key (0xb8daaea0)
 [ ... ]
 debug1: Offering DSA public key: /home/jw/.ssh/some-key.domain.name

This seems strange to me. I have requested a _specific_ key with the -i
option. Why is a different key tried _before_ this specific key is even
considered? IMHO, if a specific key is specified on the command line, this
specific key (and _no_ other key) should be used.


Another annoyance is that a private key will not be loaded when the
corresponding public key is not available.


PS: Is the list on secureshell at securityfocus.com dead? If so, then
    http://www.openssh.org/de/list.html should be updated accordingly.

-- 
Josef Wolf
jw at raven.inka.de


More information about the openssh-unix-dev mailing list