Discussion:
Selecting specific key from agent
(too old to reply)
William Faulk
2016-01-21 00:34:44 UTC
Permalink
There are cases when a user might have multiple keys in ssh-agent, but
wants to use a specific one. Unless I'm mistaken, this is currently
impossible. I've put together a proof of concept using the key's
"filename" (the third column in the output of 'ssh-add -l') and it
works.

Is this a new feature that would be accepted? If so, should the key be
identified with its "filename", or a fingerprint, or something else?
What would be an appropriate option name? Does it make more sense to
prevent loading the other keys at all, or to load them but not
transmit the ones that don't match?
--
Bitt Faulk
Ruediger Meier
2016-01-21 07:50:03 UTC
Permalink
Post by William Faulk
There are cases when a user might have multiple keys in ssh-agent,
but wants to use a specific one. Unless I'm mistaken, this is
currently impossible.
You can do that with option "IdentityFile", see "man ssh_config".
Either specified with -o or IMO better in ~/.ssh/config like my example
here:

Host gcc?? gcc??? gcc*.fsffrance.org
IdentityFile /home/rudi/.ssh/gccfarm_rudi_dsa
IdentitiesOnly=yes
PasswordAuthentication no

Host * !gcc?? !gcc??? !gcc*.fsffrance.org
IdentityFile /home/rudi/.ssh/id_ecdsa

cu,
Rudi
William Faulk
2016-01-21 14:25:04 UTC
Permalink
Post by Ruediger Meier
You can do that with option "IdentityFile"
IdentityFile currently only looks at a specific file on the
filesystem. It doesn't modify what key is chosen from an agent. This
does not work when your key doesn't exist on the local filesystem,
such as when you're logged into a remote system and relying on
ForwardAgent.
--
Bitt Faulk
Christian Weisgerber
2016-01-21 15:11:02 UTC
Permalink
Post by Ruediger Meier
Post by William Faulk
There are cases when a user might have multiple keys in ssh-agent,
but wants to use a specific one. Unless I'm mistaken, this is
currently impossible.
You can do that with option "IdentityFile", see "man ssh_config".
That assumes that the key files are locally available.

If you are on host A and want to connect to B, it is perfectly
possible to have keys in the agent that were added on another host C.
--
Christian "naddy" Weisgerber ***@mips.inka.de
Ángel González
2016-01-22 00:45:59 UTC
Permalink
Post by Christian Weisgerber
Post by Ruediger Meier
Post by William Faulk
There are cases when a user might have multiple keys in ssh-agent,
but wants to use a specific one. Unless I'm mistaken, this is
currently impossible.
You can do that with option "IdentityFile", see "man ssh_config".
That assumes that the key files are locally available.
If you are on host A and want to connect to B, it is perfectly
possible to have keys in the agent that were added on another host C.
Note you can provide to IdentityFile a file containing the *public* key.
So no need to copy the key into B.

(Actually, it can also be beneficial, as not having the key in the agent
will procude a failure, instead of ssh(1) requesting the key password,
which is an UI that could be produced by a compromised server)
Peter Stuge
2016-01-22 01:08:54 UTC
Permalink
Post by William Faulk
There are cases when a user might have multiple keys in ssh-agent, but
wants to use a specific one. Unless I'm mistaken, this is currently
impossible. I've put together a proof of concept using the key's
"filename" (the third column in the output of 'ssh-add -l') and it
works.
Is security one of the motivations for the change?

In that case, the user interface needs to be agent-side.


//Peter

Loading...