Key preference

Josef Wolf jw at raven.inka.de
Sun Sep 22 20:01:33 EST 2013


On Fr, Sep 20, 2013 at 11:47:06 +1000, Darren Tucker wrote:
> On Fri, Sep 20, 2013 at 02:51:53PM +0200, Josef Wolf wrote:
> > I have a problem specifying identities with the -i option.
> [...]
> > This seems strange to me. I have requested a _specific_ key with the -i
> > option. Why is a different key tried _before_ this specific key is even
> > considered?
> 
> If your ssh-agent has keys those will be offered to the server first.

IMHO, it seems to be _very_ counter-intuitive to prefer something loaded in
the background when a specific key was requested _explicitly_ on the command
line.

> You can change that with the IdentitiesOnly option.

Ummm, the documentation of this option don't mention command line options at
all. It talks only about identities configured in ssh_config.

> > Another annoyance is that a private key will not be loaded when the
> > corresponding public key is not available.
> 
> That's because if the private key is encrypted it'd need to prompt you
> for the passphrase every time you made a connection whether the key can
> be used or not.
> 
> The way pubkey auth works is the client says "if I proved I had the
> private key corresponding to this public key fingerprint would that
> work?" and the server replies with yes or no.

I see.

> In your case, what's
> probably happening is that you have keys in your agent which the server
> will also accept.

Yes, of course!

First, I have my standard key loaded, which I use for my everyday work on this
server.

In addition, I have multiple keys for this git repository, since I have
multiple roles in its workflow.

So, when I need to do something with a specific role, I'd specify the
corresponding key with the -i option to override the keys offered by
ssh-agent. And I'm _very_ surprised that my keys from ssh-agent are used
instead of the _explicitly_ _specified_ key.

IMHO, in security software, surprising behavior is evil.

-- 
Josef Wolf
jw at raven.inka.de


More information about the openssh-unix-dev mailing list