On 11/23/2017 03:20 AM, cen wrote:
According to other replies gnome-keyring is involved so perhaps the
fault lies in that. I doubt upstream ssh guys would override cli
options with agent.
Nonsense. GNOME provides *an* agent, it doesn't modify ssh. The ssh
client decides what order to attempt authentication methods.
For now I managed to completely disable it system wide by adding
export SSH_AUTH_SOCK="" in a /etc/profile.d script.
If you don't want your ssh keys to be used automatically, the
least-effort fix it simply to not store them in .ssh. Keys stored
elsewhere can be specified on the command line, but won't be loaded
automatically by the GNOME keyring application.
The SSH agent is an important component of secure SSH use. You *should*
keep your keys encrypted on disk (even if your filesystem itself is
encrypted). The agent makes it viable to use secure passphrases with
keys that you use frequently, eliminating the barrier to use that typing
the passphrase frequently presents. It also allows you to forward your
agent connection with SSH sessions, so that you can hop from host to
host without copying private keys to the intermediate hosts.