How to use ssh -i with a key from ssh-agent rather than from a file?
raf
ssh at raf.org
Thu Oct 1 09:26:15 AEST 2020
On Wed, Sep 30, 2020 at 02:13:20PM +0530, Danishka Navin <danishka at gmail.com> wrote:
> On Wed, Sep 30, 2020 at 1:40 PM raf <ssh at raf.org> wrote:
>
> > On Wed, Sep 30, 2020 at 03:35:43PM +1000, Damien Miller <djm at mindrot.org>
> > wrote:
> >
> > > On Wed, 30 Sep 2020, raf wrote:
> > >
> > > > Hi,
> > > >
> > > > I have a VM with a git repository whose origin is on
> > > > github. I have several keys known to github, so I needed
> > > > to set git's core.sshcommand config parameter in the
> > > > repository to something like this:
> > > >
> > > > ssh -i ~/.ssh/id_ed25519_github2
> > > >
> > > > But it meant that I needed to copy that key to the VM.
> > > > The same key is available via my forwarded ssh-agent
> > > > connection. Is it possible to tell ssh to use that
> > > > instead of the key in a file? The documentation for the
> > > > -i option only mentions files.
> > >
> > > ssh will read the public key (id_ed25519_github2.pub) to identify the key
> > > before it tries to use the private key (id_ed25519_github2). If the
> > private
> > > key is available in the agent then it will never try to use the private
> > key
> > > file.
> > >
> > > Summary: copy id_ed25519_github2.pub to your VM and the above command
> > will
> > > work.
> > >
> > > -d
> >
> > Hi Damien,
> >
> > Thanks. That's brilliant.
> > It should get a mention in the manpage.
> > I've attached a patch for ssh.1.
> >
> > However, I've just tried it and it didn't work for me. :-(
> >
> > $ git config core.sshcommand
> > ssh -i ~/.ssh/id_ed25519_github2
> >
> > $ ls -l ~/.ssh/id*
> > -rw-r--r-- 1 raf raf 110 Dec 19 2019
> > /home/raf/.ssh/id_ed25519_github2.pub
> >
> > $ cat ~/.ssh/id_ed25519_github2.pub
> > ssh-ed25519
> > AAAAC3NzaC1lZDI1NTE5AAAAIHrmJ0gYTmZlilDBB/BsyOHqOT354aDLWgULmMPXRkJK
> > user at domain.com
> >
> > $ ssh-add -L
> > ssh-ed25519
> > AAAAC3NzaC1lZDI1NTE5AAAAIHrmJ0gYTmZlilDBB/BsyOHqOT354aDLWgULmMPXRkJK
> > user at domain.com
> > [...]
> >
> > $ git pull
> > Warning: Identity file /home/raf/.ssh/id_ed25519_aps_github not
> > accessible: No such file or directory.
> > ERROR: Repository not found.
> >
>
> >From where this id_ed25519_*aps*_githubfile coming?
Sorry, that's the real name of the key file. I missed
changing it to match the other appearances. The point
in using ...github2 was to indicate the fact that I
have multiple keys in my agent that are known to
github, and without telling ssh which one to use for a
given git repository, ssh would try all the keys in
some arbitrary(?) order and one of the others might be
tried first and work, i.e. one of the keys that doesn't
have write permission to the repository in question
because it is for a different github account. This is
probably only an issue when you have multiple working
keys for a server, but only one of them will get you
what you actually need after the original
authentication has taken place. Github is probably
a special case because all accounts use the same
ssh username "git".
cheers,
raf
More information about the openssh-unix-dev
mailing list