Hi Darren,
On 4/1/19 10:41 AM, Darren Tucker wrote:
On Mon, 1 Apr 2019 at 08:12, Harald Dunkel <harald.dunkel@xxxxxxxxx> wrote:
I've got a moderate number of keys in my ssh config file.
Problem: Very often I get an error message like
[...]
The solution seems to be to set IdentitiesOnly, e.g.:
[...]
Shouldn't an explicit IdentityFile (as in the example) *imply*
IdentitiesOnly?
Probably not. What version are you using? Is this key in the agent
or do you need to supply a passphrase?
My client is 7.4 or newer, but the peers might be many years old.
The oldest I found was version 6.0 on AIX.
"AddKeysToAgent yes" is set.
For recent versions each key has an annotation that says whether or
not the key file was supplied by the user (ie either in the config
file or on the command line). It should prefer keys that were both
specified in the config *and* in the agent, and it should try them in
the order they were supplied. If you're running into a situation
where this doesn't work, then it is likely you are either using a
version prior to that behaviour or there's a bug in it.
??? I have seen ssh-agent as a transparen means to avoid the same
password dialog again and again. ssh chooses which keys to try,
looking at the host name/IP address on the command line. The "Host"
constructs in the config file make sure that options set for one
host don't affect others.
You mean this not the case for IdentityFile? If I drop ssh-agent
support, will ssh try *other* keys in a different sequence?
Regards
Harri
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
