Key preference
Josef Wolf
jw at raven.inka.de
Fri Sep 20 22:51:53 EST 2013
Hello everybody,
I have a problem specifying identities with the -i option.
For easier ssh invocations, I have setup my ssh_config files with entries like
the following:
Host *.domain.name
Port 23457
StrictHostKeyChecking yes
UserKnownHostsFile /dev/null
GlobalKnownHostsFile /etc/ssh/known-hosts/domain.name
IdentityFile ~/.ssh/%h-dsa
IdentityFile ~/.ssh/%h-rsa
IdentityFile ~/.ssh/domain.name-dsa
IdentityFile ~/.ssh/domain.name-rsa
In addition, I've set up a system similar to gitolite, which uses a dedicated
account with authorized_keys set up like this:
command="/gitrepos/.server ab",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-dss pubkey-ab
command="/gitrepos/.server cd",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-dss pubkey-cd
This way, the connecting user is identified by its public key. This setup
works fine so far. But when I try connecting with a _specific_ key using
the -i option (to represent a specific role in the git repository), I get this
strange result:
$ ssh -vvv -i /home/jw/.ssh/specific-key gitrepos at git.domain.name
debug1: identity file /home/jw/.ssh/specific-key type 1
[ ... ]
debug2: key: /home/jw/.ssh/some-key.domain.name (0xb8db08b0)
debug2: key: /home/jw/.ssh/specific-key (0xb8daaea0)
[ ... ]
debug1: Offering DSA public key: /home/jw/.ssh/some-key.domain.name
This seems strange to me. I have requested a _specific_ key with the -i
option. Why is a different key tried _before_ this specific key is even
considered? IMHO, if a specific key is specified on the command line, this
specific key (and _no_ other key) should be used.
Another annoyance is that a private key will not be loaded when the
corresponding public key is not available.
PS: Is the list on secureshell at securityfocus.com dead? If so, then
http://www.openssh.org/de/list.html should be updated accordingly.
--
Josef Wolf
jw at raven.inka.de
More information about the openssh-unix-dev
mailing list