Strange identity ordering with sshclient and agent
Jakub Jelen
jjelen at redhat.com
Tue May 2 17:37:50 AEST 2017
On 04/27/2017 07:27 PM, Martino Io wrote:
> Hello, I have a rather strange problem with a setup where keys are fed to
> SSH_AGENT and a PAM integration, let me be clear that works flawlessly, the
> only problem I have is that wherever a key is coming from an agent, the
> order seems to be messed up, not honouring the -i option:
>
> This is the output from a console with the agent disabled and it works as
> it should, I'm specifying the identity manually here (-i
> ~/.ssh/id_rsa_laptop)
>
> debug1: pubkey_prepare: ssh_get_authentication_socket: Connection refused
> debug2: key: /home/martino/.ssh/id_rsa_laptop (0x561c908da690), explicit
> debug2: key: /home/martino/.ssh/id_rsa (0x561c908da9d0)
> debug3: send packet: type 5
> debug3: receive packet: type 6
> debug2: service_accept: ssh-userauth
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug3: send packet: type 50
> debug3: receive packet: type 51
> debug1: Authentications that can continue: publickey
> debug3: start over, passed a different list publickey
> debug3: preferred publickey,keyboard-interactive,password
> debug3: authmethod_lookup publickey
> debug3: remaining preferred: keyboard-interactive,password
> debug3: authmethod_is_enabled publickey
> debug1: Next authentication method: publickey
> debug1: Offering RSA public key: /home/martino/.ssh/id_rsa_laptop
> debug3: send_pubkey_test
> debug3: send packet: type 50
> debug2: we sent a publickey packet, wait for reply
> debug3: receive packet: type 60
> debug1: Server accepts key: pkalg ssh-rsa blen 279
> debug2: input_userauth_pk_ok
>
> And this is the output where the agent is enabled:
>
> debug2: key: /home/martino/.ssh/id_rsa (0x55a4dcddd9e0), agent
> debug2: key: /home/martino/.ssh/id_rsa_laptop (0x55a4dcddd6a0), explicit,
> agent
> debug3: send packet: type 5
> debug3: receive packet: type 6
> debug2: service_accept: ssh-userauth
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug3: send packet: type 50
> debug3: receive packet: type 51
> debug1: Authentications that can continue: publickey
> debug3: start over, passed a different list publickey
> debug3: preferred publickey,keyboard-interactive,password
> debug3: authmethod_lookup publickey
> debug3: remaining preferred: keyboard-interactive,password
> debug3: authmethod_is_enabled publickey
> debug1: Next authentication method: publickey
> debug1: Offering RSA public key: /home/martino/.ssh/id_rsa
> debug3: send_pubkey_test
> debug3: send packet: type 50
> debug2: we sent a publickey packet, wait for reply
> debug3: receive packet: type 60
> debug1: Server accepts key: pkalg ssh-rsa blen 279
> debug2: input_userauth_pk_ok
>
> The settings are stored in ~/.ssh/config and both identities are added
> correctly to the agent:
>
> 2048 SHA256: /home/martino/.ssh/id_rsa (RSA)
> 2048 SHA256: /home/martino/.ssh/id_rsa_laptop (RSA)
>
>
> The problem lies in the fact that both identities are accepted by the
> server (id_rsa and id_rsa_laptop) but I need the explicit key to be used
> first as it has different ACL settings in the server, not sure why it is
> not working at this point. Any help would be appreciated
This is how it works ever since. The manual page explicitly says that
the default locations ~/.ssh/id_{rsa,dsa,ecdsa,ed25519} will be used "by
default". There are various possibilities how to get around that:
* Use IdentitiesOnly as advised by the man ssh_config to use only the
listed identities
* Move the id_rsa away and configure it in ssh_config to get use of it
in cases you need it.
Regards,
--
Jakub Jelen
Software Engineer
Security Technologies
Red Hat
More information about the openssh-unix-dev
mailing list