IdentityFile vs IdentitiesOnly
dtucker at dtucker.net
Wed Apr 3 06:59:46 AEDT 2019
On Tue, 2 Apr 2019 at 14:50, Harald Dunkel <harald.dunkel at aixigo.de> wrote:
> My client is 7.4 or newer, but the peers might be many years old.
> The oldest I found was version 6.0 on AIX.
In this case the version of the server doesn't matter, only the client.
> "AddKeysToAgent yes" is set.
Ah, this might be the reason, see below.
> ??? I have seen ssh-agent as a transparen means to avoid the same
> password dialog again and again. ssh chooses which keys to try,
That's true, however the it chooses the order in which to try them
based in part on which ones are already in the agent.
> The "Host" constructs in the config file make sure that options set
> for one host don't affect others.
It's a bit more complicated than that. For example you can have
wildcards that match multiple hosts, and some directives are not
> You mean this not the case for IdentityFile?
IdentityFile directives append to a list, and by default the list
has multiple entries for the various key types. Quoting
It is possible to have multiple identity files specified in con‐
figuration files; all these identities will be tried in sequence.
Multiple IdentityFile directives will add to the list of identi‐
ties tried (this behaviour differs from that of other configura‐
> If I drop ssh-agent support, will ssh try *other* keys in a different sequence?
Possibly. it'll depend on a few variables.
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev