Ubuntu
gnome-keyring package

Explicit identity files are being used after implicit files are attempted

Bug #1302812 reported by Michael Hall
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
portable OpenSSH
Invalid
Low
gnome-keyring (Ubuntu)
New
Undecided
Unassigned
openssh (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

When explicitly setting an identity, either via the -i commandline parameter or IdentityFile in the ssh config, these files are used only after any other identity files found in ~/.ssh/ have failed pubkey authentication.

When the remote host limits the number of pubkey authentication failures before disconnecting, this can lead to a situation where the explicit identity file is not even used when connecting to that host.

Revision history for this message
In , Michael Hall (mhall119) wrote :

When explicitly setting an identity, either via the -i commandline parameter or IdentityFile in the ssh config, these files are used only after any other identity files found in ~/.ssh/ have failed pubkey authentication.

When the remote host limits the number of pubkey authentication failures before disconnecting, this can lead to a situation where the explicit identity file is not even used when connecting to that host.

Revision history for this message
Andreas Olsson (andol) wrote :

It's an explicit behavior of the openssh client to try keys provided by the ssh agent. If you don't want this behavior you can set the IdentitiesOnly ssh config option.

I would assume that what is happening here is that you are using the gnome-keyring as your ssh agent? From what I can see it automatically adds any key it can find under ~/.ssh/.

(Not that I have much of an opinion either way in regards to whatever there is a bug anywhere or not.)

Revision history for this message
In , Damien Miller (djm) wrote :

You need IdentitiesOnly=yes; from ssh_config(1):

  IdentitiesOnly
     Specifies that ssh(1) should only use the authentication identity
     files configured in the ssh_config files, even if ssh-agent(1) or
     a PKCS11Provider offers more identities. The argument to this
     keyword must be “yes” or “no”. This option is intended for situ‐
     ations where ssh-agent offers many different identities. The
     default is “no”.

Bug Watch Updater (bug-watch-updater)
Changed in openssh:
importance: Unknown → Low
status: Unknown → Invalid
Revision history for this message
Colin Watson (cjwatson) wrote :

Closing the Ubuntu openssh task for the same reason as given by upstream.

Changed in openssh (Ubuntu):
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.