Re: Strange identity ordering with sshclient and agent

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On 04/27/2017 07:27 PM, Martino Io wrote:
Hello, I have a rather strange problem with a setup where keys are fed to
SSH_AGENT and a PAM integration, let me be clear that works flawlessly, the
only problem I have is that wherever a key is coming from an agent, the
order seems to be messed up, not honouring the -i option:

This is the output from a console with the agent disabled and it works as
it should, I'm specifying the identity manually here (-i
~/.ssh/id_rsa_laptop)

debug1: pubkey_prepare: ssh_get_authentication_socket: Connection refused
debug2: key: /home/martino/.ssh/id_rsa_laptop (0x561c908da690), explicit
debug2: key: /home/martino/.ssh/id_rsa (0x561c908da9d0)
debug3: send packet: type 5
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/martino/.ssh/id_rsa_laptop
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug2: input_userauth_pk_ok

And this is the output where the agent is enabled:

debug2: key: /home/martino/.ssh/id_rsa (0x55a4dcddd9e0), agent
debug2: key: /home/martino/.ssh/id_rsa_laptop (0x55a4dcddd6a0), explicit,
agent
debug3: send packet: type 5
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/martino/.ssh/id_rsa
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug2: input_userauth_pk_ok

The settings are stored in ~/.ssh/config and both identities are added
correctly to the agent:

2048 SHA256: /home/martino/.ssh/id_rsa (RSA)
2048 SHA256: /home/martino/.ssh/id_rsa_laptop (RSA)


The problem lies in the fact that both identities are accepted by the
server (id_rsa and id_rsa_laptop) but I need the explicit key to be used
first as it has different ACL settings in the server, not sure why it is
not working at this point. Any help would be appreciated

This is how it works ever since. The manual page explicitly says that the default locations ~/.ssh/id_{rsa,dsa,ecdsa,ed25519} will be used "by default". There are various possibilities how to get around that:

* Use IdentitiesOnly as advised by the man ssh_config to use only the listed identities * Move the id_rsa away and configure it in ssh_config to get use of it in cases you need it.

Regards,

--
Jakub Jelen
Software Engineer
Security Technologies
Red Hat
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux