On 15/03/15 15:48, Jens Stimpfle wrote:
Hi,
I noticed that the ssh -i<keyfile> option is "ignored" in my case:
On my server, I have two keys in .ssh/authorized_keys:
command="echo A" ssh-rsa A... # Key A
command="echo B" ssh-rsa B... # Key B
Suppose these keys are stored on my client as A{,.pub} and B{,.pub}. Now
the following situation:
$ ssh-add -L
ssh-rsa A...
$ ssh -i B server
A
As you can see, when A is loaded in ssh-agent but B isn't, the
connection is made with key A even when B is specifically requested.
I looked around the source and found a few hints here and there
(readconf.c:add_identity_files(), sshconnect2.c:pubkey_prepare(), the
"userprovided" tag in the Options struct...), but overall it's unclear
to me what the semantics of "-i" is actually meant to be.
What I always expected from "-i" was that only the keys given with -i
are tried, or at least these keys are tried first, irrespective of
whether or not they are loaded into ssh-agent.
ssh tries with the ssh-agent keys first, then with the one provided with -i
As A is loaded and accepted, B is never tried.
I have been bitten by that several times, too. Usually when having many
keys in the agent, and trying to use a specific key, just to be rejected
by attempting a login with too-many-keys. I usually prepend env -i to
the ssh command, to disconnect it from the agent. Although as Stephen
mentions, you can also solve it with -o IdentitiesOnly=yes.
IMHO it should try -i keys first, and then the agent ones. But if the -i
key is already in the agent, it would be preferable not to ask for its
password again...
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev