Login/Register
SSH IdentitiesOnly=yes forwarding all my keys
Asked Answered
Solved sshpublic-key-encryptionssh-agent
O

3

13

I cannot for the life of me figure out why my SSH config is forwarding the wrong key. I have two keys, we'll call them home_rsa and work_rsa. I have done the following:

eval `ssh-agent`
ssh-add -K ~/.ssh/home_rsa
ssh-add -K ~/.ssh/work_rsa

Here is my ~/.ssh/config file:

Host home
  ForwardAgent yes
  HostName home.com
  IdentityFile ~/.ssh/home_rsa
  IdentitiesOnly yes
  User home

Host work
  ForwardAgent yes
  HostName work.com
  IdentitiesOnly yes
  IdentityFile ~/.ssh/work_rsa
  User work

Host bitbucket
  IdentityFile ~/.ssh/home_rsa

Host bitbucket-work
  IdentityFile ~/.ssh/work_rsa

Host bitbucket*
  HostName bitbucket.com
  User git

When I run the following…

ssh work
ssh [email protected]

…Bitbucket reports that I'm using my home user, though I'm clearly logged into my work server and should be forwarding my work key. If I add my SSH identities in the reverse order and run the same code above, Bitbucket reports I'm using my work user. Running ssh-add -l from my work server, I see that both SSH keys are being forwarded, but isn't that the job of IdentitiesOnly yes?

Really confused as to what's going on here.

Oedema answered 1/4, 2016 at 18:24 Comment(4)
No. IdentitiesOnly controls what key is used for authentication, but does not affect the list of keys available in your agent.Infliction
Oh. Then is there a way to control which key(s) are made available in my agent on a per-server basis?Oedema
Not really, no. I mean, you could hack up something with multiple local agents, but it probably wouldn't be pretty.Infliction
I said in another comment: "Bitbucket disallows using the same SSH key between Bitbucket accounts. I have a work account and a personal account. When I try to push/fetch/merge/etc., I want the remote server to be using the correct SSH key." Is there any [sane] way to accomplish this?Oedema
T
8

Really confused as to what's going on here.

ForwardAgent option forwards the connection to your agent, with all the keys inside and does not forward your local ~/.ssh/config to remote host. What you do on the work host is controlled by your configuration on that host.

What are you trying to do with that?

Tiannatiara answered 1/4, 2016 at 18:28 Comment(3)
Bitbucket disallows using the same SSH key between Bitbucket accounts. I have a work account and a personal account. When I try to push/fetch/merge/etc., I want the remote server to be using the correct SSH key.Oedema
Yes, and I understand your answer. But you asked what I am trying to do with that. I am trying to push/fetch/merge/etc. on my remote server.Oedema
So then you need: 1) To create such configuration on the remote server (it might not work, since the keys are not local). 2) Differentiate between the keys in other way, for example by confirmation (-c switch to ssh-add). 3) Use different keys for connecting from that server.Tiannatiara
A
5

You need to update your ssh keys with their equivalent bitbucket account first at their website (work user with work_rsa, user with user_rsa). Then maybe this could help.

Host                bitbucket-work
HostName            bitbucket.org
IdentitiesOnly      yes
IdentityFile        ~/.ssh/work_rsa
User                work

Usage:

ssh bitbucket-work

Actinon answered 1/7, 2016 at 1:55 Comment(0)
N
5

As written in the accepted answer, selecting keys used for authentication is not related to what keys are forwarded. Separate ssh-agents are needed. Luckily that is easily configured.

From ssh-agent (1) we can learn that it takes a -a option to specify bind_address, and ssh_config (5) tells that ForwardAgent can be set to what turns out to be the same value.

Prepare your agents:

eval `ssh-agent -a ~/.ssh/home.agent`
ssh-add ~/.ssh/home_rsa
eval `ssh-agent -a ~/.ssh/work.agent`
ssh-add ~/.ssh/work_rsa
unset SSH_AUTH_SOCK SSH_AGENT_PID

Configure your ssh:

Host work
    HostName      work.example.com
    ForwardAgent  ~/.ssh/work.agent
    IdentityAgent ~/.ssh/work.agent

Host home
    HostName      home.example.com
    ForwardAgent  ~/.ssh/home.agent
    IdentityAgent ~/.ssh/home.agent

That should completely separate home and work keys. Setting IdentityAgent to a different value than ForwardAgent is left as an exercise for someone exposed to a threat level calling for such complexity.

Nonce answered 31/8, 2022 at 9:32 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.