How to use ssh -i with a key from ssh-agent rather than from a file?

raf ssh at raf.org
Thu Oct 1 09:58:44 AEST 2020


On Wed, Sep 30, 2020 at 07:45:20PM +1000, Damien Miller <djm at mindrot.org> wrote:

> On Wed, 30 Sep 2020, raf wrote:
> 
> > Thanks. That's brilliant.
> > It should get a mention in the manpage.
> > I've attached a patch for ssh.1.
> > 
> > However, I've just tried it and it didn't work for me. :-(
> > 
> >   $ git config core.sshcommand
> >   ssh -i ~/.ssh/id_ed25519_github2
> 
> Personally, I find it easier to use ~/.ssh/config for this sort of
> configuration:
> 
> Host github.com
> 	User git
> 	IdentityFile ~/.ssh/id_ed25519_github2
> 	IdentitiesOnly yes # Don't use other keys in agent or on disk
> 
> You can then also "ssh -vvv github.com true" to see what is going wrong.
> 
> -d

I'd agree in general, but not in this instance. Since I
have multiple github accounts and hence multiple keys
for that user/server combination, each one leading to a
different github account, I would also have to create a
server name alias for each key, and put configurations
for each of them in the config file.

Just running a git config command per repository, and
keeping the config with the repository, seems simpler
to me.

Also, I don't think that your example would actually
solve my problem, which is the desire to get the key
from the agent rather than from a file on disk. Your
example above explicitly prevents ssh from using the
agent with "IdentitiesOnly yes".

Does this mean that your original suggestion doesn't
work, even on later versions of ssh?

New question: If I do create a key-specific hostname
alias for each of my github accounts in the
~/.ssh/config file, can I do it in the config file that
is where my private keys are (and will that config be
forwarded to the VM), or would this config need to be
local to the VM? I expect that config settings probably
wouldn't be forwarded via the agent.

If this config has to be local to the VM, I still don't
know how to tell it to get the specified key from the
agent.

I suppose I can put up with having the private key in
the VM. It's on a laptop where the private key is
anyway. It's just that I had to delete it before
exporting the VM to send to someone else. But I can put
it back.

But if anyone does implement your original suggestion,
that would be great for anyone with multiple github
accounts.

An alternative would be to change IdentityFile to also
accept a fingerprint/hash/keygrip, or add a new config
parameter IdentityKey which takes a
fingerprint/hash/keygrip argument to make it clear that
the key could come from the agent (or an unspecified
file). Just a thought.

Thanks for your time and suggestions.

cheers,
raf



More information about the openssh-unix-dev mailing list