gpg-agent and ~/.ssh/config IdentityFile

Peter Lebbing peter at digitalbrains.com
Wed Jul 6 11:37:14 CEST 2016


On 05/07/16 23:23, Daniel Kahn Gillmor wrote:
> You're right, this really is a better question for OpenSSH users.

Well, I'm stubborn, and I'm still going to answer here :-).

> Do you have a .pub file of the public part of your identity?  try
> pointing Identities to that file.

Yes, that occured to me as well as a possibility to try. It turned out
to be the correct idea.

With default config, no restrictions:
> $ ssh-add -l
> 2048 27:f1:31:87:c8:05:5e:30:32:04:61:83:af:f5:8d:a1 cardno:000500000241 (RSA)
> 2048 69:22:fd:08:4e:a5:77:c5:2c:1c:c5:e4:e3:e0:96:96 /home/peter/.ssh/id_rsa (RSA)
> 256 03:92:b4:ff:0b:8c:dc:39:63:d0:18:c1:1e:78:12:ff test_id (ED25519)
> $ ssh -vvv mscrabtree
> OpenSSH_6.7p1 Debian-5+deb8u2, OpenSSL 1.0.1t  3 May 2016
> debug1: Reading configuration data /home/peter/.ssh/config
> [...]
> debug1: Offering RSA public key: /home/peter/.ssh/id_rsa
> debug3: send_pubkey_test
> debug2: we sent a publickey packet, wait for reply
> debug1: Server accepts key: pkalg ssh-rsa blen 277
> debug2: input_userauth_pk_ok: fp 69:22:fd:08:4e:a5:77:c5:2c:1c:c5:e4:e3:e0:96:96
> debug3: sign_and_send_pubkey: RSA 69:22:fd:08:4e:a5:77:c5:2c:1c:c5:e4:e3:e0:96:96
> Agent admitted failure to sign using the key.
> debug1: Offering RSA public key: cardno:000500000241
> debug3: send_pubkey_test
> debug2: we sent a publickey packet, wait for reply
> debug1: Server accepts key: pkalg ssh-rsa blen 279
> debug2: input_userauth_pk_ok: fp 27:f1:31:87:c8:05:5e:30:32:04:61:83:af:f5:8d:a1
> debug3: sign_and_send_pubkey: RSA 27:f1:31:87:c8:05:5e:30:32:04:61:83:af:f5:8d:a1
> Agent admitted failure to sign using the key.
> debug1: Offering ED25519 public key: test_id
> debug3: send_pubkey_test
> debug2: we sent a publickey packet, wait for reply
> debug1: Server accepts key: pkalg ssh-ed25519 blen 51
> debug2: input_userauth_pk_ok: fp 03:92:b4:ff:0b:8c:dc:39:63:d0:18:c1:1e:78:12:ff
> debug3: sign_and_send_pubkey: ED25519 03:92:b4:ff:0b:8c:dc:39:63:d0:18:c1:1e:78:12:ff
> Agent admitted failure to sign using the key.

I'm not entering any password on purpose, so it will try more keys. And
it offered all it had (since I configured the server to accept them all).

Now with:
> $ cat .ssh/config
> [...]
> IdentitiesOnly yes
> 
> [...]
> Host mscrabtree
> IdentityFile /home/peter/.ssh/id_card.pub

> $ ssh -vvv mscrabtree
> [...]
> debug1: Offering RSA public key: /home/peter/.ssh/id_card.pub
> debug3: send_pubkey_test
> debug2: we sent a publickey packet, wait for reply
> debug1: Server accepts key: pkalg ssh-rsa blen 279
> debug2: input_userauth_pk_ok: fp 27:f1:31:87:c8:05:5e:30:32:04:61:83:af:f5:8d:a1
> debug3: sign_and_send_pubkey: RSA 27:f1:31:87:c8:05:5e:30:32:04:61:83:af:f5:8d:a1
> Agent admitted failure to sign using the key.
> debug2: we did not send a packet, disable method
> debug1: No more authentication methods to try.
> Permission denied (publickey).

It only offers my smartcard.

Change it to

> IdentityFile /home/peter/.ssh/test_id.pub                                         

> $ ssh -vvv mscrabtree
> [...]
> debug1: Offering ED25519 public key: /home/peter/.ssh/test_id.pub
> debug3: send_pubkey_test
> debug2: we sent a publickey packet, wait for reply
> debug1: Server accepts key: pkalg ssh-ed25519 blen 51
> debug2: input_userauth_pk_ok: fp 03:92:b4:ff:0b:8c:dc:39:63:d0:18:c1:1e:78:12:ff
> debug3: sign_and_send_pubkey: ED25519 03:92:b4:ff:0b:8c:dc:39:63:d0:18:c1:1e:78:12:ff
> Agent admitted failure to sign using the key.
> debug2: we did not send a packet, disable method
> debug1: No more authentication methods to try.
> Permission denied (publickey).

It only offers the key test_id.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>



More information about the Gnupg-users mailing list