On Tue, 30 Nov 2021, Dirk-Willem van Gulik wrote: > Is it just me - or does, since version 3.0.7, IdentitiesOnly no longer include PKCS#11 keys ? > > With IdentitiesOnly set to yes - I see them getting picked up: > > debug2: pkcs11_fetch_keys: provider /Library/OpenSC/lib/onepin-opensc-pkcs11.so slot 0: RSA SHA256:etcetc > debug1: have 2 keys > > but not being offered. With IdentitiesOnly set to no (or without; the default) - they get offered. > > Is that intentional ? Or what is the thinking behind this ? Yes, intentional. This changed in OpenSSH 6.2, almost 9 years ago :) > commit cb6b68b209d8868a94a30b1a634beb1a65cb5265 > Author: Damien Miller <djm@xxxxxxxxxxx> > Date: Mon Dec 3 09:49:52 2012 +1100 > > - djm@xxxxxxxxxxxxxxx 2012/12/02 20:26:11 > [ssh_config.5 sshconnect2.c] > Make IdentitiesOnly apply to keys obtained from a PKCS11Provider. > This allows control of which keys are offered from tokens using > IdentityFile. ok markus@ The behaviour changed to fix a bug: IdentitiesOnly was not being applied to PKCS#11 hosted keys, making it impossible to control which ones were being offered to a server. Since the change, you are able to filter PKCS#11 keys using IdentityFile directives. To do this, you need to specify the public key rather than the private. The same thing works for keys held in ssh-agent. -d _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
