IdentityFile vs IdentitiesOnly
Darren Tucker
dtucker at dtucker.net
Wed Apr 3 06:59:46 AEDT 2019
On Tue, 2 Apr 2019 at 14:50, Harald Dunkel <harald.dunkel at aixigo.de> wrote:
>
[...]
> My client is 7.4 or newer, but the peers might be many years old.
> The oldest I found was version 6.0 on AIX.
In this case the version of the server doesn't matter, only the client.
> "AddKeysToAgent yes" is set.
Ah, this might be the reason, see below.
[...]
> ??? I have seen ssh-agent as a transparen means to avoid the same
> password dialog again and again. ssh chooses which keys to try,
[...]
That's true, however the it chooses the order[0] in which to try them
based in part on which ones are already in the agent.
> The "Host" constructs in the config file make sure that options set
> for one host don't affect others.
It's a bit more complicated than that. For example you can have
wildcards that match multiple hosts, and some directives are not
strict overrides.
> You mean this not the case for IdentityFile?
IdentityFile directives append to a list[1], and by default the list
has multiple entries for the various key types. Quoting
ssh_config(5):
It is possible to have multiple identity files specified in con‐
figuration files; all these identities will be tried in sequence.
Multiple IdentityFile directives will add to the list of identi‐
ties tried (this behaviour differs from that of other configura‐
tion directives).
> If I drop ssh-agent support, will ssh try *other* keys in a different sequence?
Possibly. it'll depend on a few variables.
[0] https://github.com/openssh/openssh-portable/blob/master/sshconnect2.c#L1506
[1] https://github.com/openssh/openssh-portable/blob/master/readconf.c#L1060
--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list