On 04/27/2017 07:27 PM, Martino Io wrote:
Hello, I have a rather strange problem with a setup where keys are fed to SSH_AGENT and a PAM integration, let me be clear that works flawlessly, the only problem I have is that wherever a key is coming from an agent, the order seems to be messed up, not honouring the -i option: This is the output from a console with the agent disabled and it works as it should, I'm specifying the identity manually here (-i ~/.ssh/id_rsa_laptop) debug1: pubkey_prepare: ssh_get_authentication_socket: Connection refused debug2: key: /home/martino/.ssh/id_rsa_laptop (0x561c908da690), explicit debug2: key: /home/martino/.ssh/id_rsa (0x561c908da9d0) debug3: send packet: type 5 debug3: receive packet: type 6 debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug3: send packet: type 50 debug3: receive packet: type 51 debug1: Authentications that can continue: publickey debug3: start over, passed a different list publickey debug3: preferred publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Offering RSA public key: /home/martino/.ssh/id_rsa_laptop debug3: send_pubkey_test debug3: send packet: type 50 debug2: we sent a publickey packet, wait for reply debug3: receive packet: type 60 debug1: Server accepts key: pkalg ssh-rsa blen 279 debug2: input_userauth_pk_ok And this is the output where the agent is enabled: debug2: key: /home/martino/.ssh/id_rsa (0x55a4dcddd9e0), agent debug2: key: /home/martino/.ssh/id_rsa_laptop (0x55a4dcddd6a0), explicit, agent debug3: send packet: type 5 debug3: receive packet: type 6 debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug3: send packet: type 50 debug3: receive packet: type 51 debug1: Authentications that can continue: publickey debug3: start over, passed a different list publickey debug3: preferred publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Offering RSA public key: /home/martino/.ssh/id_rsa debug3: send_pubkey_test debug3: send packet: type 50 debug2: we sent a publickey packet, wait for reply debug3: receive packet: type 60 debug1: Server accepts key: pkalg ssh-rsa blen 279 debug2: input_userauth_pk_ok The settings are stored in ~/.ssh/config and both identities are added correctly to the agent: 2048 SHA256: /home/martino/.ssh/id_rsa (RSA) 2048 SHA256: /home/martino/.ssh/id_rsa_laptop (RSA) The problem lies in the fact that both identities are accepted by the server (id_rsa and id_rsa_laptop) but I need the explicit key to be used first as it has different ACL settings in the server, not sure why it is not working at this point. Any help would be appreciated
This is how it works ever since. The manual page explicitly says that the default locations ~/.ssh/id_{rsa,dsa,ecdsa,ed25519} will be used "by default". There are various possibilities how to get around that:
* Use IdentitiesOnly as advised by the man ssh_config to use only the listed identities * Move the id_rsa away and configure it in ssh_config to get use of it in cases you need it.
Regards, -- Jakub Jelen Software Engineer Security Technologies Red Hat _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev