Keys from -i should have precedence over agent keys
Max Thoursie
max at lausarve.se
Thu Jan 23 00:16:43 EST 2014
On Tue, Jan 21, 2014 at 9:56 PM, Damien Miller <djm at mindrot.org> wrote:
> On Tue, 21 Jan 2014, Max Thoursie wrote:
>
> > Hi,
> >
> > I believe it would make more sense if,
> > when specifying a key with -i, that key (or keys) should be tried prior
> to
> > the keys in the agent.
> >
> > Otherwise, if I have many keys in my agent, the server will kick me out.
> I
> > can see no situation where one would like to use agent keys instead of
> the
> > ones explicitly stated.
> >
> > Do you agree?
>
> Yes, and that is what the code is supposed to do already. See
> sshconnect2.c:pubkey_prepare()
Only if I have the key specified in my agent. But keys from the command
line, not present in the agent, will be tried last. And I object that.
>From the comment in pubkey_prepare:
try keys in the following order:
1. agent keys that are found in the config file
2. other agent keys
3. keys that are only listed in the config file
I think it would make more sense to do 1,3,2.
The reason beeing that in config, or in the command line, you can tie a
specific key to a specific host, which you can't do in the agent. So given
that you have more keys than tries on the remote servers, you could then
solve that situation by providing a host specific config.
More information about the openssh-unix-dev
mailing list