On Tue, Jan 21, 2014 at 9:56 PM, Damien Miller <djm at mindrot.org> wrote: > On Tue, 21 Jan 2014, Max Thoursie wrote: > > > Hi, > > > > I believe it would make more sense if, > > when specifying a key with -i, that key (or keys) should be tried prior > to > > the keys in the agent. > > > > Otherwise, if I have many keys in my agent, the server will kick me out. > I > > can see no situation where one would like to use agent keys instead of > the > > ones explicitly stated. > > > > Do you agree? > > Yes, and that is what the code is supposed to do already. See > sshconnect2.c:pubkey_prepare() Only if I have the key specified in my agent. But keys from the command line, not present in the agent, will be tried last. And I object that. >From the comment in pubkey_prepare: try keys in the following order: 1. agent keys that are found in the config file 2. other agent keys 3. keys that are only listed in the config file I think it would make more sense to do 1,3,2. The reason beeing that in config, or in the command line, you can tie a specific key to a specific host, which you can't do in the agent. So given that you have more keys than tries on the remote servers, you could then solve that situation by providing a host specific config.
