tony.kay at gmail
Dec 13, 2011, 2:52 PM
Post #1 of 5
(489 views)
Permalink
|
|
ssh-agent and IdentityFile
|
|
I've noticed that the ssh-agent applies any keys it already has
passwords for (via ssh-add) first, overriding the ssh config files for
preferred identity file from .ssh/config and -i. This seems a
documented behavior.
However, this causes problems with some tool chains that use the
authorized_keys command directive to change behavior based on which
key is used.
In my case, I use gitolite for git repositories, and we have a number
of developers, each with different permissions. As the admin, I have
more than one SSH identity that gives me different permissions on the
server (again, through a command directive on authorized_keys on the
server).
So, my .ssh/config uses two different Host configs, so I can use the
alias hostname to get to the different access permissions:
Host=hostA
Hostname=repos.example.com
IdentityFile=usera
Host=hostAAdmin
Hostname=repos.example.com
IdentityFile=userb
Of course, these key files are password protected.
Once ssh-agent has the usera or userb key installed, it ignores the
config...meaning I have to do a lot of shuffling with ssh-add...and
I've lost the benefit of using ssh-agent at all...worse, now I'm
typing ssh-add -D, followed by ssh-add identity, followed by the
password again! I just end up killing ssh-agent and typing
passwords....unless I'm on OSX, which auto-starts ssh-agent every time
I use ssh.
This seems incorrect, since I would not have configured IdentityFile
if it didn't matter to me.
I would consider this a bug, though I know it is a documented
"feature"...which is why I'm writing here.
Please enlighten me.
Tony
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
|
signature.asc
