M HYPE SPLASH
// general

ssh '-i' flag not using the provided key to authenticate

By Sarah Scott

I've realized over the past few months that the ssh's command flag "-i" (which refers to specify an identity file) doesn't work properly when I try to authenticate to some server.

From what I understood, I could use this flag to specify an ssh key to authenticate to the server, avoiding the need to test over each key added to my agent and possibly overflow the connection attempts.

What I'm trying now is to change the user to authenticate to git (the question is not git specific), and what is happening is this:

  • I have two ssh keys that authenticate to github, let's call them user1.pem and user2.pem.
  • user1.pem authenticates to user1 in github and user2.pem authenticates to user2.
  • I run the command "ssh -T ", it authenticates to user1.
  • I run the command "ssh -T -i ~/.ssh/user2.pem ", it continues to authenticate to user1.

There's no problem at all with the keys, both have been added to the agent and they have the correct file permissions.
To circumvent this I had to remove all the keys from my agent and re-add only the user2.pem, then it authenticated to user2.

Just to reiterate, this is NOT git specific, as I had this problem with common linux servers as well, and I couldn't find any solution besides configuring the hosts in the ~/.ssh/config file. I'm using git as example just because it is easier to test.

Am I using "ssh -i" flag in the wrong way?

2

1 Answer

From the descrition of your problem, this is related to (the absence of) this option seen in man ssh_config:

IdentitiesOnly

Specifies that ssh(1) should only use the authentication identity and certificate files explicitly configured in the ssh_config files or passed on the ssh(1) command-line, even if ssh-agent(1) or aPKCS11Provider offers more identities. The argument to this keyword must be yes or no (the default). This option is intended for situations where ssh-agent offers many different identities.

You are also probably enabling the AddKeysToAgent option (which is handy) which will automatically keep user1 loaded in the agent after first use.

So you should run this:

ssh -T -o IdentitiesOnly=yes -i ~/.ssh/user2.pem

This will prevent the identity for user1 to be ever considered for authentication and force the use of the identity for user2.

Alternately (but not so useful) unsetting the environment variable SSH_AUTH_SOCK will render the ssh agent unavailable to the command. This would have a similar result, except you'd be asked each time the passphrase again instead of the agent providing the decrypted key itself in the former case once loaded.

4

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

More in general

Fortnite Screen Won't Resize PC

'Doctor Sleep' and the Problem of the Impossible Sequel