Problem with ssh identies
Rick Stevens
ricks at nerd.com
Mon Jan 11 22:06:38 UTC 2010
On 01/09/2010 08:09 PM, Bill Davidsen wrote:
> <div class="moz-text-flowed" style="font-family: -moz-fixed">H. Willstrand wrote:
>> On Sat, Jan 9, 2010 at 2:32 AM, Bill Davidsen<davidsen at tmr.com> wrote:
>>> I am using the "command=" feature heavily as part of a backup system, which
>>> allows me to run commands on a remote server without allowing general
>>> function. I give the public key for a functionality to the server, add to
>>> authorized_keys, and can closely control the users. The key is chosen by use
>>> of the "-i" option to ssh.
>>>
>>> All of this has been working nicely for several years.
>>>
>>> However, it seems that ssh offers the default key *first* to the server,
>>> rather than the one specified on the command line. That's so bizarre I spent
>>> time checking that it really happened before asking here.
>>>
>>> So the question is, how can I get ssh to offer the key I give it in the
>>> command line first? Preferably as the only key offered, actually, but
>>> definitely before the default key, which on several machines drops me into
>>> another application.
>>>
>>> Is there some clever means or option I missed?
>>>
>>
>> Have you tried the -F option instead?
>>
> No, if I saw a config option to use the key the command line provides first I
> would put it in the system config file. Is there an option I missed? Having an
> option file for each key would seem a roundabout way to do things.
There's two ways to do it. You can create "~/.ssh/config" files for
each local user that specifies keys. Or modify /etc/ssh/ssh_config and
put in:
Host host.domain.tld
IdentityFile /path/to/id_dsa/file
Host host1.domain.tld
IdentityFile /path/to/id_dsa-or-id_rsa/file
to make it global. The paths to the filenames can use normal some
special tokens ("%d", "%u", etc.) to form the path. See the
"IdentityFile" bit of "man ssh_config"
> Or have I missed your point? The issue is that I need different keys depending
> on what I'm doing, and the man page seems to say that the -i key will be used
> instead of the default, which is just what I need.
I think the "-i" is run in the context of the user actually running the
ssh command, not the user named in the "user at host" or "-l" options in
the command.
If this is right and you run the ssh commad as "fred", and do something
like:
ssh barney at remotehost
or
ssh -l barney remotehost
the identity file will attempt to be read as user "fred". Since the
files are usually set with mode 600 (rw-------) and owned by their
user ("barney" in this case), fred can't read barney's files and ssh
sends out the system-wide default.
That's just an educated guess, you understand. I've never used
identity files from another user. 90% of what I do via ssh is
interactive. Running the ssh command with "-vvv" and watching the
output may reveal something completely different.
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer ricks at nerd.com -
- AIM/Skype: therps2 ICQ: 22643734 Yahoo: origrps2 -
- -
- "I understand Windows 2000 has a Y2K problem." -
----------------------------------------------------------------------
More information about the users
mailing list