[prev in list] [next in list] [prev in thread] [next in thread]
List: openssh-unix-dev
Subject: Re: Keys from -i should have precedence over agent keys
From: Max Thoursie <max () lausarve ! se>
Date: 2014-01-22 13:16:43
Message-ID: CACVHtEhKAc=6+W4HwQ569hX1noH+pJJxVJ1JPO7Pp2uahcYL1A () mail ! gmail ! com
[Download RAW message or body]
On Tue, Jan 21, 2014 at 9:56 PM, Damien Miller <djm@mindrot.org> wrote:
> On Tue, 21 Jan 2014, Max Thoursie wrote:
>
> > Hi,
> >
> > I believe it would make more sense if,
> > when specifying a key with -i, that key (or keys) should be tried prior
> to
> > the keys in the agent.
> >
> > Otherwise, if I have many keys in my agent, the server will kick me out.
> I
> > can see no situation where one would like to use agent keys instead of
> the
> > ones explicitly stated.
> >
> > Do you agree?
>
> Yes, and that is what the code is supposed to do already. See
> sshconnect2.c:pubkey_prepare()
Only if I have the key specified in my agent. But keys from the command
line, not present in the agent, will be tried last. And I object that.
From the comment in pubkey_prepare:
try keys in the following order:
1. agent keys that are found in the config file
2. other agent keys
3. keys that are only listed in the config file
I think it would make more sense to do 1,3,2.
The reason beeing that in config, or in the command line, you can tie a
specific key to a specific host, which you can't do in the agent. So given
that you have more keys than tries on the remote servers, you could then
solve that situation by providing a host specific config.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic