Strange identity ordering with sshclient and agent

Martino Io martino87rm at gmail.com
Fri Apr 28 03:27:39 AEST 2017 

Hello, I have a rather strange problem with a setup where keys are fed to
SSH_AGENT and a PAM integration, let me be clear that works flawlessly, the
only problem I have is that wherever a key is coming from an agent, the
order seems to be messed up, not honouring the -i option:

This is the output from a console with the agent disabled and it works as
it should, I'm specifying the identity manually here (-i
~/.ssh/id_rsa_laptop)

debug1: pubkey_prepare: ssh_get_authentication_socket: Connection refused
debug2: key: /home/martino/.ssh/id_rsa_laptop (0x561c908da690), explicit
debug2: key: /home/martino/.ssh/id_rsa (0x561c908da9d0)
debug3: send packet: type 5
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/martino/.ssh/id_rsa_laptop
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug2: input_userauth_pk_ok

And this is the output where the agent is enabled:

debug2: key: /home/martino/.ssh/id_rsa (0x55a4dcddd9e0), agent
debug2: key: /home/martino/.ssh/id_rsa_laptop (0x55a4dcddd6a0), explicit,
agent
debug3: send packet: type 5
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/martino/.ssh/id_rsa
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug2: input_userauth_pk_ok

The settings are stored in ~/.ssh/config and both identities are added
correctly to the agent:

2048 SHA256: /home/martino/.ssh/id_rsa (RSA)
2048 SHA256: /home/martino/.ssh/id_rsa_laptop (RSA)


The problem lies in the fact that both identities are accepted by the
server (id_rsa and id_rsa_laptop) but I need the explicit key to be used
first as it has different ACL settings in the server, not sure why it is
not working at this point. Any help would be appreciated

--
Marcin

More information about the openssh-unix-dev mailing list