Keys from -i should have precedence over agent keys

Max Thoursie max at lausarve.se
Thu Jan 23 00:16:43 EST 2014


On Tue, Jan 21, 2014 at 9:56 PM, Damien Miller <djm at mindrot.org> wrote:

> On Tue, 21 Jan 2014, Max Thoursie wrote:
>
> > Hi,
> >
> > I believe it would make more sense if,
> > when specifying a key with -i, that key (or keys) should be tried prior
> to
> > the keys in the agent.
> >
> > Otherwise, if I have many keys in my agent, the server will kick me out.
> I
> > can see no situation where one would like to use agent keys instead of
> the
> > ones explicitly stated.
> >
> > Do you agree?
>
> Yes, and that is what the code is supposed to do already. See
> sshconnect2.c:pubkey_prepare()


Only if I have the key specified in my agent. But keys from the command
line, not present in the agent, will be tried last. And I object that.

>From the comment in pubkey_prepare:

  try keys in the following order:
1. agent keys that are found in the config file
2. other agent keys
3. keys that are only listed in the config file

I think it would make more sense to do 1,3,2.

The reason beeing that in config, or in the command line, you can tie a
specific key to a specific host, which you can't do in the agent. So given
that you have more keys than tries on the remote servers, you could then
solve that situation by providing a host specific config.


More information about the openssh-unix-dev mailing list